Closed diracdeltas closed 3 years ago
i wasn't able to test this because the demo is broken, but https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L314 injects messages as HTML without escaping. so if alice sends <script>alert('hi')</script> to bob in the chat log, it may get executed in bob's browser (https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L146)
<script>alert('hi')</script>
@diracdeltas I can confirm the XSS worked :) Thanks for the report, fixed now!
i wasn't able to test this because the demo is broken, but https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L314 injects messages as HTML without escaping. so if alice sends
<script>alert('hi')</script>
to bob in the chat log, it may get executed in bob's browser (https://github.com/cjb/serverless-webrtc/blob/master/js/serverless-webrtc.js#L146)