properly implementing xss protection

NexusNull · NexusNull · commit bfb747d38588 · 2021-02-28T14:54:09.000+01:00
still serverside which isn't the best but it'll do for now
diff --git a/src/client/scripts/Chat.js b/src/client/scripts/Chat.js
@@ -59,11 +59,9 @@ Chat = class Chat {
   }
 
   log(message) {
-    const replacements = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]];
-    for (const replacement of replacements)
-      message = message.replace(replacement[0], replacement[1]);
-
-    this.chatDiv.append(`<span>${message}<br></span>`);
+    let elem = document.createElement("div");
+    elem.innerHTML = message+"<br>";
+    this.chatDiv.append(elem);
     this.scrollToBottom(this.chatDiv);
   }
 
diff --git a/src/index.js b/src/index.js
@@ -95,6 +95,13 @@ io.sockets.on("connection", function (socket) {
       emit(["kicked", reason]);
     },
     message: function (msg) {
+      let message = msg.extra[0].text
+
+      const replacements = [[/&/g, "&amp;"], [/</g, "&lt;"], [/>/g, "&gt;"], [/"/g, "&quot;"]];
+      for (const replacement of replacements)
+        message = message.replace(replacement[0], replacement[1]);
+      msg.extra[0].text = message;
+
       emit(["msg", convert.toHtml(msg.toAnsi())]);
     },
     experience: function () {

Original file line number	Diff line number	Diff line change
`@@ -59,11 +59,9 @@ Chat = class Chat {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`log(message) {`
`62`		`- const replacements = [[/&/g, "&"], [/</g, "<"], [/>/g, ">"], [/"/g, """]];`
`63`		`- for (const replacement of replacements)`
`64`		`- message = message.replace(replacement[0], replacement[1]);`
`65`		`-`
`66`		- this.chatDiv.append(`<span>${message}<br></span>`);
	`62`	`+ let elem = document.createElement("div");`
	`63`	`+ elem.innerHTML = message+"<br>";`
	`64`	`+ this.chatDiv.append(elem);`
`67`	`65`	`this.scrollToBottom(this.chatDiv);`
`68`	`66`	`}`
`69`	`67`