Merge pull request michaljaz#35 from NexusNull/threejs-javascript

michaljaz · web-flow · commit a774870e4cc9 · 2021-02-28T14:04:08.000+01:00
prevent xss
diff --git a/src/client/scripts/Chat.js b/src/client/scripts/Chat.js
@@ -53,11 +53,10 @@ class Chat {
     }
 
     log(message) {
-        if (
-            message.split(" ")[1].indexOf("<") == -1 &&
-            message.split(" ").indexOf(">") == -1
-        )
-            $(".chat").append(`<span>${message}<br></span>`);
+        const replacements = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]];
+        for (const replacement of replacements)
+            message = message.replace(replacement[0], replacement[1]);
+        $(".chat").append(`<span>${message}<br></span>`);
         this.scrollToBottom(this.chatDiv);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -53,11 +53,10 @@ class Chat {`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`log(message) {`
`56`		`- if (`
`57`		`- message.split(" ")[1].indexOf("<") == -1 &&`
`58`		`- message.split(" ").indexOf(">") == -1`
`59`		`- )`
`60`		- $(".chat").append(`<span>${message}<br></span>`);
	`56`	`+ const replacements = [[/&/g, "&"], [/</g, "<"], [/>/g, ">"], [/"/g, """]];`
	`57`	`+ for (const replacement of replacements)`
	`58`	`+ message = message.replace(replacement[0], replacement[1]);`
	`59`	+ $(".chat").append(`<span>${message}<br></span>`);
`61`	`60`	`this.scrollToBottom(this.chatDiv);`
`62`	`61`	`}`
`63`	`62`