Users can post anything in our feed, including their own JavaScript code. That's a bit dangerous.
Step 1: reproduce the problem
Before you fix this problem, it's important to prove you can make the problem happen - if you don't know how to cause the problem, how can you prove you really fixed it?
It has some instructions on how to install it and then use it.
Step 3: fix
The server needs to clean up anything from the client before it is used.
Look in the server's code - that's index.js. Find the place where a new post arrives, and use the sanitizer to convert each value into a cleaned up version before the server saves it.
Test that your fix prevents new posts from adding scripts. (It won't fix the posts that have already been made.)
Step 4: are there other vulnerabilities?
The user can post a message, an image, and a name. We need to clean each of these!
[x] make sure every value the user can post gets cleaned up
Step 5: database cleanup
[x] get our mlab.com log-in details from the mentors. Log into mlab, find our database and delete any posts that contain scripts.
The posts will disappear from your feed next time the server is restarted.
Users can post anything in our feed, including their own JavaScript code. That's a bit dangerous.
Step 1: reproduce the problem
Before you fix this problem, it's important to prove you can make the problem happen - if you don't know how to cause the problem, how can you prove you really fixed it?
Try posting a new post with this as the message:
Then go to the feed. You should see a button, which changes the whole site when clicked. That's bad!
find a useful tool
A sanitizer is a tool that takes something we don't trust (like code from a user) and cleans it up so we can trust that it is safe.
Let's use a premade santiizer instead of writing out own - we wouldn't want to make a mistake that lets some bad scripts through.
this one looks ok! https://www.npmjs.com/package/sanitizer
It has some instructions on how to install it and then use it.
Step 3: fix
The server needs to clean up anything from the client before it is used.
Look in the server's code - that's
index.js
. Find the place where a new post arrives, and use the sanitizer to convert each value into a cleaned up version before the server saves it.Test that your fix prevents new posts from adding scripts. (It won't fix the posts that have already been made.)
Step 4: are there other vulnerabilities?
The user can post a message, an image, and a name. We need to clean each of these!
Step 5: database cleanup
The posts will disappear from your feed next time the server is restarted.