Open perling1 opened 2 years ago
hewiefreeman
commented
2 years ago Yep, take a look at core/messaging.go. I'll update the chat callbacks so it's possible to prevent the message from being sent if you return false. That way, you can inspect the message and return false if you don't like any of the characters.
perling1
commented
2 years ago Can you give a hint, how to access the message as a string? I try to enhance the function sendMessage:
func (r *Room) sendMessage(mt int, st int, rec []string, a string, m interface{}) error {
But i dont know how to strip the m, as m is an interface.
// New Replace function not compiling, as "m" is not a string outputstr := strings.Replace(m, ";", "", -1)
perling1
commented
2 years ago Yep, take a look at
core/messaging.go. I'll update the chat callbacks so it's possible to prevent the message from being sent if youreturn false. That way, you can inspect the message andreturn falseif you don't like any of the characters.
In your concept it is only possible to deny a message. Isnt it better to clean the message text of special chars and still send/process it. Thus "cut" special chars and prevent crossside attacks/sql injection etc.?
perling1
commented
2 years ago Ok, i extended the core messgage.go To do it without bigger changes, the html go package has a function to escape html chars from a string. https://pkg.go.dev/html#EscapeString Now its save to show the messages to other users in html context.
import (
"html"
)
..
// The message line 234
outputstr := fmt.Sprintf("%v", m)
outputstr = HTMLEscapeString(outputstr)
message[helpers.ServerActionRoomMessage]["m"] = outputstr
I could break my output in html/js because the server relays messages unfiltered from user to other user e.g. "room messages" or "private messages"
So my request is: Please enable a config or a small code that strips "special chars/html/tags/javascript" from user input.
I couldnt figure out where this aspect could be implemented correctly. (Core?)