escaping (XSS) bug in stream mode

[adamgundy]

if the character ' (apostrophe) is used as part of the payload (or the channel name.. much less likely), and pushstream is working in stream mode, you will get a javascript error on the client.

the issue is that in stream mode (and only stream mode!), the payload is pushed to the client using a javascript function call, like this:

the ' is not escaped (ie: \') and so it is interpreted as the end of the string argument.

this is trivial to demonstrate - go to the demo chat page using IE, and enter some text with a ' in it. you will get a javascript error.

[adamgundy]

wow. this falls down a nasty rabbit hole. you can't just fix apostrophe because there are all sorts of other caveats. take a look at the OWASP project for some possibilities.

the simplest solution IMHO is to do something like base64 encode the data and have the pushstream.js undo that.. then you are guaranteed that no "escape the escape" attacks will work.

otherwise this opens a huge XSS vulnerability to anyone using a browser than does not support EventSource (IE, Android, etc).

[wandenberg]

Hi,

thanks for your alert. I changed pushstream.js to escape content, but you have to pay attention on your application to do necessary validations when using it. As said in OWASP each case requires a different treatment.