javascript - I made a simple chat room with sockets.io, how do I prevent XSS attacks? -


as title says made simple chat room sockets.io, problem have no xss protection , buddies keep putting infinite loops usernames, can imagine how trolly getting :p. app.js

/**  * module dependencies.  */  var express = require('express')   , routes = require('./routes')   , user = require('./routes/user')   , http = require('http')   , path = require('path');  var app = express();  // environments app.set('port', process.env.port || 3000); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.bodyparser()); app.use(express.methodoverride()); app.use(app.router); app.use(express.static(path.join(__dirname, 'public')));  // development if ('development' == app.get('env')) {   app.use(express.errorhandler()); }  app.get('/', routes.index); app.get('/users', user.list);  var server = http.createserver(app).listen(app.get('port'), function(){   console.log('express server listening on port ' + app.get('port')); }); var io  = require('socket.io').listen(server);  var usernames = {};  io.sockets.on('connection', function (socket) {   // when client emits 'sendchat' listens ,  executes   socket.on('sendchat', function(data) {     io.sockets.emit('updatechat', socket.username, data);   });    // when client emites 'adduser' listens , executes   socket.on('adduser', function(username) {     // store username in socket session client     socket.username = username;     // add client's username global list     usernames[username] = username;     // echo client they've connected     socket.emit('updatechat', 'server', 'you have connected');     // echo globally (all clients) person has connected     socket.broadcast.emit('updatechat', 'server', username + ' has connected');     // update list of users in chat, client-side     io.sockets.emit('updateusers', usernames);   });    socket.on('disconnect', function() {     // remove username global usernames list     delete usernames[socket.username];     // update list of users in chat, client-side     io.sockets.emit('updateusers', usernames);     // echo globally client has left     socket.broadcast.emit('updatechat', 'server', socket.username + ' has disconnected');   }); });

how can sanitize input prevent against such things, tried googling xss protection prevention, sanitize html input, , other things, can't find nothing!

client code:

socket.on('updatechat', function(username, data) {   $('#conversation').append('<b>'+username+ ':</b>' + data.replace() + '<br>'); });

as mentioned in comment, don't send whole message server. wasting bandwidth , mixing presentation layer server, make things real hassle later on.

instead of updatechat emit, try sending bit more useful such userdisconnected username. let client code display message client has disconnected.

now client, this:

socket.on('userdisconnected', function(username, data) {   $('#conversation').append(     $('<span>').addclass('servermessage').text(username + ' has disconnected'),   ); });

the key here use $.text() set innertext. html becomes irrelevant.


Comments

Post a Comment

Popular posts from this blog

php - cannot display multiple markers in google maps v3 from traceroute result -

i'm newbie in php mysql , google maps v3. have problems in google maps v3. made traceroute web based , map traceroute's result in google maps v3 final project of college education. have try many tutorials didn't work. have tried tutorials in forum nothing worked. problem cannot display multiple markers got location data database. maybe because i'm newbie , not know how do. confuse looping show markers. here code <?php error_reporting(e_all ^ (e_notice)); ini_set('max_execution_time', 360); $enable_log_user = false; global $ip, $host_name, $host_ip; $host = @$_post['host']; $trace = @$_post['trace']; $self = $_server['php_self']; include("phpsqlajax_dbinfo.php"); $connection = mysql_connect ('127.0.0.1', $username, $password); if (!$connection) { die('not connected : ' . mysql_error());} $db_selected = mysql_select_db($database, $connection); if (!$db_selected) { die ('can\'t use db :
Read more

c# - DetailsView in ASP.Net - How to add another column on the side/add a control in each row? -

i have detailsview control on page used edit various fields of record, works in respect. i looking way add 1 column (and if works, why not more) right, absolutely read-only, show same fields of record comparison purposes. i aware there no obvious way such thing out of box detailsview . have looked other controls (transposed gridview , recommended formview , listview ), nothing satisfies. have special data binding setup using detailsview , can't out of without losing features. anyone on how "hack in" additional columns (for display only) on detailsview ? the solution have now, use second detailsview , visible set false in aspx. in code, make sure databind hidden detailsview hosts data third column first, initial detailsview named itemdetails . and in item created event, pass third column html rendering of hidden controls (in last code block) : protected void itemdetails_itemcreated(object sender, eventargs e) { if (dataite
Read more

javascript - firefox memory leak -

i have following script (i use raphaeljs also) draws circle, waits 1 second, draws circle again, etc (you can copy paste - functional, need include raphael raphaeljs.com): <div id="holder"> </div> <script src="raphael.js" type="text/javascript"></script> <script> var paper = raphael(10, 50, 320, 200); var rad = math.pi / 180; var finangle = 0; function sector(cx, cy, r, startangle, endangle, params) { var x1 = cx + r * math.cos(-startangle * rad), x2 = cx + r * math.cos(-endangle * rad), y1 = cy + r * math.sin(-startangle * rad), y2 = cy + r * math.sin(-endangle * rad); return ["m", cx, cy, "l", x1, y1, "a", r, r, 0, +(endangle - startangle > 180), 0, x2, y2]; } var path = sector(100,100,50,0,180); var arc = paper.path(path); function draw() { path = sector(100,100,50,0,finangle);
Read more