javascript - I made a simple chat room with sockets.io, how do I prevent XSS attacks? -
as title says made simple chat room sockets.io, problem have no xss protection , buddies keep putting infinite loops usernames, can imagine how trolly getting :p. app.js
/** * module dependencies. */ var express = require('express') , routes = require('./routes') , user = require('./routes/user') , http = require('http') , path = require('path'); var app = express(); // environments app.set('port', process.env.port || 3000); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.bodyparser()); app.use(express.methodoverride()); app.use(app.router); app.use(express.static(path.join(__dirname, 'public'))); // development if ('development' == app.get('env')) { app.use(express.errorhandler()); } app.get('/', routes.index); app.get('/users', user.list); var server = http.createserver(app).listen(app.get('port'), function(){ console.log('express server listening on port ' + app.get('port')); }); var io = require('socket.io').listen(server); var usernames = {}; io.sockets.on('connection', function (socket) { // when client emits 'sendchat' listens , executes socket.on('sendchat', function(data) { io.sockets.emit('updatechat', socket.username, data); }); // when client emites 'adduser' listens , executes socket.on('adduser', function(username) { // store username in socket session client socket.username = username; // add client's username global list usernames[username] = username; // echo client they've connected socket.emit('updatechat', 'server', 'you have connected'); // echo globally (all clients) person has connected socket.broadcast.emit('updatechat', 'server', username + ' has connected'); // update list of users in chat, client-side io.sockets.emit('updateusers', usernames); }); socket.on('disconnect', function() { // remove username global usernames list delete usernames[socket.username]; // update list of users in chat, client-side io.sockets.emit('updateusers', usernames); // echo globally client has left socket.broadcast.emit('updatechat', 'server', socket.username + ' has disconnected'); }); }); how can sanitize input prevent against such things, tried googling xss protection prevention, sanitize html input, , other things, can't find nothing!
client code:
socket.on('updatechat', function(username, data) { $('#conversation').append('<b>'+username+ ':</b>' + data.replace() + '<br>'); });
as mentioned in comment, don't send whole message server. wasting bandwidth , mixing presentation layer server, make things real hassle later on.
instead of updatechat emit, try sending bit more useful such userdisconnected username. let client code display message client has disconnected.
now client, this:
socket.on('userdisconnected', function(username, data) { $('#conversation').append( $('<span>').addclass('servermessage').text(username + ' has disconnected'), ); }); the key here use $.text() set innertext. html becomes irrelevant.
Comments
Post a Comment