search

paolodelia99 / Simple-node-chat-app

A simple chat app built with node.js and socket.io
https://paolown-node-chat-app.herokuapp.com/
MIT License
24 stars 20 forks source link

insecure don't deploy to production #6

Open todduk opened 3 years ago

todduk commented 3 years ago

Write a message such as 

<script>alert('lol');</script>hey

image

paolodelia99 commented 3 years ago

It's strange, on my PC it doesn't happen. chat_app I don't know what might be the cause of that.

todduk commented 3 years ago

Sorry I took so long to respond. My pic is from your deployment to heroku, maybe running locally you have some XSS protection? Can't offer any more insight as I didn't examine the code. I did a quick test across clients with a private window and everyone in the same room gets the same alert displayed to them. Probably you're updating the innerHtml on new message rather than innerText?

I was looking for a quick and dirty websocket chat implementation and came across this one and just wanted to give a quick warning. All the best.