search

akmadhwa / Chatapp

💬Chat App using Socket.io and node js
http://tuyul.herokuapp.com
2 stars 3 forks source link

Prevent HTML and JavaScript Injection #2

Closed iblancasa closed 7 years ago

iblancasa commented 7 years ago

Now, you can add this code to the text input:

<img src="URL to image">

And the image will be shown. This PR prevents HTML and JavaScript injections.

akmadhwa commented 7 years ago

Learn new things. Thanks @iblancasa

iblancasa commented 7 years ago

Why this change was not accepted?

akmadhwa commented 7 years ago

@iblancasa why i keep getting undefined data when i want to send the message

iblancasa commented 7 years ago

Oh! Probably would be a nice idea to add an if to check if the message is undefined. In this case, do nothing.

akmadhwa commented 7 years ago

@iblancasa As far as i know, striptags function is to remove tags. For example remove html tags. how come it can prevent injection. Striptags correct me if im wrong.

iblancasa commented 7 years ago

If I understood properly, you are asking how this package prevents the HTML injection, right?

Striptags will remove the HTML tags. If you remove the HTML tags from the messages sent by the clients, these tags will not be in the message and these tags will not be injected.

You can connect to your chat and send this message:

<img src="https://media.npr.org/assets/img/2014/05/08/simp2006_homerarmscrossed_f_wide-f5b7cb17067fc89225d72d768a00dc0a9cf2545c.jpg">

Imagine that, instead add one image, this script will add a malicious Javascript.