38 comments

[ 0.23 ms ] story [ 80.1 ms ] thread
(comment deleted)
Neat little project, but you can pass HTML tags directly into the chat! <script> doesn't seem to run, but <img> can load from external sites. Be careful!
Site is susceptible to some kind of css attack. Too bad.
(comment deleted)
How can I fix this?
You can try escaping HTML submitted from the form. Or even simply detecting the presence of any HTML tag and rejecting such submissiobs with a friendly error message.
ah yes! i will do this in the next version. someone recomended leaving some of the xss elements like the image and video function with the old school chat vibes but I'm not sure what to do lmaooo
Old school chats and forums dealt with that with special limited markup language for formatting and embedding images or other special elements like youtube videos. Everything outside the limited markup options was treated as text with the replacement of < and > to HTML entities &lt; and &gt; meant to display HTML special characters in text. It was called BBcode, if I recall correctly. It looked something like that:

[b]bold[/b] [i]italic[/i] [img]example.com/image.jpg[/img] [youtube]youtube.com/watch?v=someVideo[/youtube]

I like to use a small utility function like this and pass user input through it.

  function asTextContent(input) {
    const tempElement = document.createElement('span');
    tempElement.textContent = input;
    return tempElement.innerHTML;
  }
It will let the browser handle the escaping.
Really wanted to enjoy this, but it seemed like the room size of 5 was way too small. People would pop in and out endlessly hoping for some bustle but none seemed to be able to build.

What chat I did get really recreated the 14 year old edgelords in chatrooms experience though. Lots of porn gif spamming

Perhaps I might increase room limit to 10 users?

I'm trying to replicate the feeling of a hostel commonroom

2 observations:

I couldn't figure out what my username was, I had to ask in the chat.

It's possible to embed recursive iframes, so I can see that being exploited for bad things.

Otherwise I like the idea. People in the chat were nice, but I can't help but think that soon chat rooms will be full of chatGPT bots and nobody will be any the wiser!

Thank you for the feedback!

So far from users I've heard they want:

1) username visibility fix making sure all colors are visible 2) removal of xss 3) ability to see your own username (its just "you" rn) 4) dark mode

open to any and all suggestions :) my first full stack app. its cool seeing it being used

Don't show people entering and leaving. It clutters the chat, and you don't need to be notified of people leaving as the ephemerality of this is pretty explicit. Larger group sizes to maintain coherence. sanitize your inputs because this is REALLY NSFW now
This is a great comment. Will be implementing this in the next push.
Good luck polishing things up! I had a normal (non goatse'd) session the first try. It really recaptured the early internet vibe for me... loving your idea.
<iframe src="" height=0 width=0 onload="alert(1)" />
what about it? you can't insert an iframe in the chat, I tried ;)
Beyond broken and unsuitable for public release. Take it down and fix it.
Wow. It was working great at the start before people started spamming nsfw content and injecting html and css into the page. Will be taking down the site in the morning and working on version 2. I guess from this I can say there’s some demand?
Easy fix: In your script.js in the appendMessage function do this:

    const chatMessage = document.createElement("div");
    chatMessage.classList.add("chat-message");
    chatMessage.innerHTML = `<span class="username" style="color: ${color};">${username}:</span> `;
    const userMessage = document.createElement('span');
    span.innerText = message;
    chatMessage.appendChild(userMessage);
    chatContainer.appendChild(chatMessage);
    chatContainer.scrollTop = chatContainer.scrollHeight;
I love how people here actually check the source code of a website. So HN
It's unfortunate, though anything you make online now will be abused readily and should thus be hardened. By leaving it in the state it was, regular users were endangered.
Don't be dramatic, there was no danger.
Folks were spamming porn and posting your IP address to chat on your behalf. Being able to execute code in someone else’s browser is dangerous.
No it's not. Literally every website you visit can do that. It's called JavaScript and it's sandboxed.

You really think some rando that spins up a web server is significantly more trustworthy that a rando in a chat channel? Of course not, they're the same people.

Lots of awful porn gifs spam, even from my account because there are security issues that allowed other group members to send messages with my nick
You should disable gif/image rendering by default and make it opt-in, this is basically a link to porn right now and HN should take it down.
I was having fun, but the message feed started bugging out :( (a lot of messages of broken images and 'meow' text)