search

D0us / Chat

Simple chatroom web application
0 stars 1 forks source link

Cross Site Scripting Vulnerability #1

Open corradoparisi opened 4 years ago

corradoparisi commented 4 years ago

Hello

I found XSS vulnerabilities in the chat rooms of your project.

The regex in the sanitize_inputs function (chat_ajax.php) allows many XSS possibilities.

Among other things these possibilities work in the chat:

<img src="a" onerror="javascript:alert(1)" />
<script x> alert(1) </script 1=2
<script x> alert(1) </script 111111
<script> alert(1) </script 111111
<script >alert(1)</script >

image

I would recommend to use this library: https://github.com/voku/anti-xss

corradoparisi commented 4 years ago

I created a Pull Request to fix this issue here: https://github.com/D0us/Chat/pull/2