From cb552341f329aaf4d2bd4ae13d7614b1a93abf52 Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 10:50:29 +0300
Subject: [PATCH 1/5] Fix stored XSS

---
 server.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server.js b/server.js
index 2e72800..f30dde1 100644
--- a/server.js
+++ b/server.js
@@ -11,9 +11,11 @@ server.listen(process.env.PORT || 3000);//publish to heroku
 //server.listen(process.env.OPENSHIFT_NODEJS_PORT || 3000);//publish to openshift
 //console.log('server started on port'+process.env.PORT || 3000);
 //handle the socket
+
 io.sockets.on('connection', function(socket) {
     //new user login
     socket.on('login', function(nickname) {
+        nickname = nickname.replace(/[^A-Za-z0-9]/g, '');
         if (users.indexOf(nickname) > -1) {
             socket.emit('nickExisted');
         } else {
@@ -34,6 +36,7 @@ io.sockets.on('connection', function(socket) {
     });
     //new message get
     socket.on('postMsg', function(msg, color) {
+        msg = msg.replace(/on[^\s]+[\s]*(=|&#61;|&equals;)[\s]*("|').+("|')/gi, '');
         socket.broadcast.emit('newMsg', socket.nickname, msg, color);
     });
     //new image get

From 574183b7da8b9cc7d9d378002e8127d0aace3bde Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 11:31:33 +0300
Subject: [PATCH 2/5] Avoid showing XSS in self browser window

With option to show message
---
 www/scripts/hichat.js | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/www/scripts/hichat.js b/www/scripts/hichat.js
index 7be8ed7..a920c9f 100644
--- a/www/scripts/hichat.js
+++ b/www/scripts/hichat.js
@@ -50,6 +50,10 @@ HiChat.prototype = {
         document.getElementById('loginBtn').addEventListener('click', function() {
             var nickName = document.getElementById('nicknameInput').value;
             if (nickName.trim().length != 0) {
+                if(testXSSattemtp(nickName)){
+                    document.getElementById('nicknameInput').value = '';
+                    return false;
+                }
                 that.socket.emit('login', nickName);
             } else {
                 document.getElementById('nicknameInput').focus();
@@ -59,6 +63,10 @@ HiChat.prototype = {
             if (e.keyCode == 13) {
                 var nickName = document.getElementById('nicknameInput').value;
                 if (nickName.trim().length != 0) {
+                    if(testXSSattemtp(nickName)){
+                        document.getElementById('nicknameInput').value = '';
+                        return false;
+                    }
                     that.socket.emit('login', nickName);
                 };
             };
@@ -70,6 +78,7 @@ HiChat.prototype = {
             messageInput.value = '';
             messageInput.focus();
             if (msg.trim().length != 0) {
+                if(testXSSattemtp(msg))return false;
                 that.socket.emit('postMsg', msg, color);
                 that._displayNewMsg('me', msg, color);
                 return;
@@ -81,6 +90,7 @@ HiChat.prototype = {
                 color = document.getElementById('colorStyle').value;
             if (e.keyCode == 13 && msg.trim().length != 0) {
                 messageInput.value = '';
+                if(testXSSattemtp(msg))return false;
                 that.socket.emit('postMsg', msg, color);
                 that._displayNewMsg('me', msg, color);
             };
@@ -174,3 +184,12 @@ HiChat.prototype = {
         return result;
     }
 };
+
+const showXSSMsg = false;
+function testXSSattemtp(txt){
+    if(txt.match(/<.*on[^\s]+[\s]*(=|&#61;|&equals;)[\s]*("|').+("|').*>/gi)){
+        if(showXSSMsg)alert('Please avoid attempting code execution');
+        return true;
+    }
+    return false;
+}

From c085762871d858ceb18df75b22ca48c2c117552f Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 14:50:05 +0300
Subject: [PATCH 3/5] Updated to use DOMPurify Library

---
 package.json          |  3 ++-
 server.js             |  1 +
 www/index.html        |  1 +
 www/scripts/hichat.js | 16 ++++++----------
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index 66d3a3b..9c33700 100644
--- a/package.json
+++ b/package.json
@@ -4,6 +4,7 @@
     "version": "0.4.0",
     "main": "server.js",
     "dependencies": {
+        "dompurify": "^2.0.15",
         "express": "3.4.x",
         "socket.io": "0.9.x"
     },
@@ -11,4 +12,4 @@
         "node": "0.10.x",
         "npm": "1.2.x"
     }
-}
\ No newline at end of file
+}
diff --git a/server.js b/server.js
index f30dde1..0915bbe 100644
--- a/server.js
+++ b/server.js
@@ -5,6 +5,7 @@ var express = require('express'),
     users = [];
 //specify the html we will use
 app.use('/', express.static(__dirname + '/www'));
+app.use('/dompurify', express.static(__dirname + '/node_modules/dompurify/dist'));
 //bind the server to the 80 port
 //server.listen(3000);//for local test
 server.listen(process.env.PORT || 3000);//publish to heroku
diff --git a/www/index.html b/www/index.html
index a63719b..de1e1d8 100644
--- a/www/index.html
+++ b/www/index.html
@@ -46,6 +46,7 @@ <h1>HiChat :)</h1>
             <small>view on <a href="https://github.com/Wayou/HiChat">GitHub</a> | <a href="mailto:liuwayong@gmail.com">contact me</a></small>
         </footer>
         <script src="/socket.io/socket.io.js"></script>
+        <script src="/dompurify/purify.min.js"></script>
         <script src="scripts/hichat.js"></script>
         <script>
         /**REMOVE ME IF YOU CANT ACCESS GOOGLE SERVICE**/
diff --git a/www/scripts/hichat.js b/www/scripts/hichat.js
index a920c9f..0c19f55 100644
--- a/www/scripts/hichat.js
+++ b/www/scripts/hichat.js
@@ -50,10 +50,7 @@ HiChat.prototype = {
         document.getElementById('loginBtn').addEventListener('click', function() {
             var nickName = document.getElementById('nicknameInput').value;
             if (nickName.trim().length != 0) {
-                if(testXSSattemtp(nickName)){
-                    document.getElementById('nicknameInput').value = '';
-                    return false;
-                }
+                testXSSattemtp(nickName);
                 that.socket.emit('login', nickName);
             } else {
                 document.getElementById('nicknameInput').focus();
@@ -63,10 +60,7 @@ HiChat.prototype = {
             if (e.keyCode == 13) {
                 var nickName = document.getElementById('nicknameInput').value;
                 if (nickName.trim().length != 0) {
-                    if(testXSSattemtp(nickName)){
-                        document.getElementById('nicknameInput').value = '';
-                        return false;
-                    }
+                    testXSSattemtp(nickName);
                     that.socket.emit('login', nickName);
                 };
             };
@@ -78,7 +72,7 @@ HiChat.prototype = {
             messageInput.value = '';
             messageInput.focus();
             if (msg.trim().length != 0) {
-                if(testXSSattemtp(msg))return false;
+                testXSSattemtp(msg)
                 that.socket.emit('postMsg', msg, color);
                 that._displayNewMsg('me', msg, color);
                 return;
@@ -90,7 +84,7 @@ HiChat.prototype = {
                 color = document.getElementById('colorStyle').value;
             if (e.keyCode == 13 && msg.trim().length != 0) {
                 messageInput.value = '';
-                if(testXSSattemtp(msg))return false;
+                testXSSattemtp(msg);
                 that.socket.emit('postMsg', msg, color);
                 that._displayNewMsg('me', msg, color);
             };
@@ -149,6 +143,8 @@ HiChat.prototype = {
         emojiContainer.appendChild(docFragment);
     },
     _displayNewMsg: function(user, msg, color) {
+        user = DOMPurify.sanitize(user, {SAFE_FOR_JQUERY: true});
+        msg = DOMPurify.sanitize(msg, {SAFE_FOR_JQUERY: true});
         var container = document.getElementById('historyMsg'),
             msgToDisplay = document.createElement('p'),
             date = new Date().toTimeString().substr(0, 8),

From 232e01ad8fea6c3a7db2edef74655154bfd315cf Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Fri, 4 Sep 2020 23:37:31 +0300
Subject: [PATCH 4/5] Updated to treat all the message as text, avoiding XSS
 while keeping all text unafected

_safeShowEmoji function was created to keep emoji functionality while avoiding XSS
---
 server.js             |  3 +--
 www/scripts/hichat.js | 49 +++++++++++++++++++++++++++++++++++--------
 2 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/server.js b/server.js
index 0915bbe..642f101 100644
--- a/server.js
+++ b/server.js
@@ -16,7 +16,7 @@ server.listen(process.env.PORT || 3000);//publish to heroku
 io.sockets.on('connection', function(socket) {
     //new user login
     socket.on('login', function(nickname) {
-        nickname = nickname.replace(/[^A-Za-z0-9]/g, '');
+        nickname = nickname.replace(/[^A-Za-z0-9]/g, '').substring(0,70);
         if (users.indexOf(nickname) > -1) {
             socket.emit('nickExisted');
         } else {
@@ -37,7 +37,6 @@ io.sockets.on('connection', function(socket) {
     });
     //new message get
     socket.on('postMsg', function(msg, color) {
-        msg = msg.replace(/on[^\s]+[\s]*(=|&#61;|&equals;)[\s]*("|').+("|')/gi, '');
         socket.broadcast.emit('newMsg', socket.nickname, msg, color);
     });
     //new image get
diff --git a/www/scripts/hichat.js b/www/scripts/hichat.js
index 0c19f55..43bd8c1 100644
--- a/www/scripts/hichat.js
+++ b/www/scripts/hichat.js
@@ -144,39 +144,70 @@ HiChat.prototype = {
     },
     _displayNewMsg: function(user, msg, color) {
         user = DOMPurify.sanitize(user, {SAFE_FOR_JQUERY: true});
-        msg = DOMPurify.sanitize(msg, {SAFE_FOR_JQUERY: true});
+//        msg = DOMPurify.sanitize(msg, {SAFE_FOR_JQUERY: true});
         var container = document.getElementById('historyMsg'),
             msgToDisplay = document.createElement('p'),
             date = new Date().toTimeString().substr(0, 8),
             //determine whether the msg contains emoji
-            msg = this._showEmoji(msg);
+            msg = this._safeShowEmoji(msg);
         msgToDisplay.style.color = color || '#000';
-        msgToDisplay.innerHTML = user + '<span class="timespan">(' + date + '): </span>' + msg;
+        msgToDisplay.innerHTML = user + '<span class="timespan">(' + date + '): </span>';
+        for (var i = 0; i<msg.length; i++){
+            msgToDisplay.appendChild(msg[i]);
+        }
         container.appendChild(msgToDisplay);
         container.scrollTop = container.scrollHeight;
     },
     _displayImage: function(user, imgData, color) {
+//        imgData = DOMPurify.sanitize(imgData)
         var container = document.getElementById('historyMsg'),
             msgToDisplay = document.createElement('p'),
             date = new Date().toTimeString().substr(0, 8);
         msgToDisplay.style.color = color || '#000';
-        msgToDisplay.innerHTML = user + '<span class="timespan">(' + date + '): </span> <br/>' + '<a href="' + imgData + '" target="_blank"><img src="' + imgData + '"/></a>';
+        var linkEl = document.createElement('a')
+        linkEl.href = imgData;
+        linkEl.target = '_blank';
+        var imgEl = document.createElement('img')
+        imgEl.src = imgData;
+        linkEl.appendChild(imgEl)
+        msgToDisplay.innerHTML = user + '<span class="timespan">(' + date + '): </span> <br/>'
+        msgToDisplay.appendChild(linkEl)
+
         container.appendChild(msgToDisplay);
         container.scrollTop = container.scrollHeight;
     },
-    _showEmoji: function(msg) {
-        var match, result = msg,
+    _safeShowEmoji: function(msg) {
+        var match, result = new Array(),
             reg = /\[emoji:\d+\]/g,
-            emojiIndex,
+            emojiIndex, newEl, prevLastIndex=0,
             totalEmojiNum = document.getElementById('emojiWrapper').children.length;
         while (match = reg.exec(msg)) {
+
+            if(match.index>prevLastIndex){ // Content exist before emoji
+                newEl = document.createElement('span');
+                newEl.textContent = msg.substring(prevLastIndex, match.index);
+                result.push(newEl);
+            }
+
             emojiIndex = match[0].slice(7, -1);
             if (emojiIndex > totalEmojiNum) {
-                result = result.replace(match[0], '[X]');
+                newEl = document.createElement('span');
+                newEl.textContent = '[X]';
+                result.push(newEl);
             } else {
-                result = result.replace(match[0], '<img class="emoji" src="../content/emoji/' + emojiIndex + '.gif" />');//todo:fix this in chrome it will cause a new request for the image
+                newEl = document.createElement('img');
+                newEl.src = '../content/emoji/' + emojiIndex + '.gif'; //todo:fix this in chrome it will cause a new request for the image ... Not sure it still happens
+                newEl.className = "emoji"
+                result.push(newEl);
             };
+            prevLastIndex = reg.lastIndex;
         };
+        if(reg.lastIndex<msg.length){ // Content exist after emojis
+            newEl = document.createElement('span');
+            newEl.textContent = msg.substring(prevLastIndex);
+            result.push(newEl);
+        }
+
         return result;
     }
 };

From 7f9ce5333c21a3ecc4c95b435adc9d7ad256c8c6 Mon Sep 17 00:00:00 2001
From: Alejandro Romero Herrera <alromh87@gmail.com>
Date: Sat, 5 Sep 2020 00:43:26 +0300
Subject: [PATCH 5/5] Avoid XSS on img link

---
 server.js             | 12 +++++++++++-
 www/scripts/hichat.js | 11 ++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/server.js b/server.js
index 642f101..9fbce4c 100644
--- a/server.js
+++ b/server.js
@@ -41,6 +41,16 @@ io.sockets.on('connection', function(socket) {
     });
     //new image get
     socket.on('img', function(imgData, color) {
-        socket.broadcast.emit('newImg', socket.nickname, imgData, color);
+        socket.broadcast.emit('newImg', socket.nickname, noJSLink(imgData), color);
     });
 });
+
+function noJSLink(text){
+    var reg = /javascript\s*:\s*/
+    text = text.replace("/\s+/", "");
+    while (match = reg.exec(text)) {
+        text = text.replace(match[0], '');
+        reg.lastIndex=0;
+    }
+    return text;
+}
diff --git a/www/scripts/hichat.js b/www/scripts/hichat.js
index 43bd8c1..e3d5f13 100644
--- a/www/scripts/hichat.js
+++ b/www/scripts/hichat.js
@@ -165,7 +165,7 @@ HiChat.prototype = {
             date = new Date().toTimeString().substr(0, 8);
         msgToDisplay.style.color = color || '#000';
         var linkEl = document.createElement('a')
-        linkEl.href = imgData;
+        linkEl.href = this._noJSLink(imgData);
         linkEl.target = '_blank';
         var imgEl = document.createElement('img')
         imgEl.src = imgData;
@@ -209,6 +209,15 @@ HiChat.prototype = {
         }
 
         return result;
+    },
+    _noJSLink: function(text){
+        var reg = /javascript\s*:\s*/
+        text = text.replace("/\s+/", "");
+        while (match = reg.exec(text)) {
+            text = text.replace(match[0], '');
+            reg.lastIndex=0;
+        }
+        return text;
     }
 };