8 comments

[ 0.24 ms ] story [ 28.8 ms ] thread
We created this in Meteor.js, pretty fun. Great for short term chat rooms that don't need a sign up. Would love feedback!
Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages being loaded as people enter, it could lead to someone exploiting everyone that enters your site.
Ha, good catch! It's just a toy at this point, but we'll fix that asap.
Please fix it : <IMG SRC=# onmouseover="alert('xxs')">
thanks guys, fixing it now
XSS by writing the message:

  <i<script></script>mg src="#" onerror="alert(1)">
Just stripping out tags doesn't work. Stripping out the script tags there simply ends up creating another new tag. You need to understand and implement proper escaping.
People ... It still has XSS issues ..