Neat little project, but you can pass HTML tags directly into the chat! <script> doesn't seem to run, but <img> can load from external sites. Be careful!
You can try escaping HTML submitted from the form. Or even simply detecting the presence of any HTML tag and rejecting such submissiobs with a friendly error message.
ah yes! i will do this in the next version. someone recomended leaving some of the xss elements like the image and video function with the old school chat vibes but I'm not sure what to do lmaooo
Old school chats and forums dealt with that with special limited markup language for formatting and embedding images or other special elements like youtube videos. Everything outside the limited markup options was treated as text with the replacement of < and > to HTML entities < and > meant to display HTML special characters in text. It was called BBcode, if I recall correctly. It looked something like that:
Really wanted to enjoy this, but it seemed like the room size of 5 was way too small. People would pop in and out endlessly hoping for some bustle but none seemed to be able to build.
What chat I did get really recreated the 14 year old edgelords in chatrooms experience though. Lots of porn gif spamming
I couldn't figure out what my username was, I had to ask in the chat.
It's possible to embed recursive iframes, so I can see that being exploited for bad things.
Otherwise I like the idea. People in the chat were nice, but I can't help but think that soon chat rooms will be full of chatGPT bots and nobody will be any the wiser!
Don't show people entering and leaving. It clutters the chat, and you don't need to be notified of people leaving as the ephemerality of this is pretty explicit. Larger group sizes to maintain coherence. sanitize your inputs because this is REALLY NSFW now
Good luck polishing things up! I had a normal (non goatse'd) session the first try. It really recaptured the early internet vibe for me... loving your idea.
Wow. It was working great at the start before people started spamming nsfw content and injecting html and css into the page. Will be taking down the site in the morning and working on version 2. I guess from this I can say there’s some demand?
It's unfortunate, though anything you make online now will be abused readily and should thus be hardened. By leaving it in the state it was, regular users were endangered.
No it's not. Literally every website you visit can do that. It's called JavaScript and it's sandboxed.
You really think some rando that spins up a web server is significantly more trustworthy that a rando in a chat channel? Of course not, they're the same people.
38 comments
[ 0.23 ms ] story [ 80.1 ms ] threadEdit: this focuses on script tags and other means to inject code, but most defenses also work for other injected tags
first time figuring out opsec !
[b]bold[/b] [i]italic[/i] [img]example.com/image.jpg[/img] [youtube]youtube.com/watch?v=someVideo[/youtube]
What chat I did get really recreated the 14 year old edgelords in chatrooms experience though. Lots of porn gif spamming
I'm trying to replicate the feeling of a hostel commonroom
I couldn't figure out what my username was, I had to ask in the chat.
It's possible to embed recursive iframes, so I can see that being exploited for bad things.
Otherwise I like the idea. People in the chat were nice, but I can't help but think that soon chat rooms will be full of chatGPT bots and nobody will be any the wiser!
So far from users I've heard they want:
1) username visibility fix making sure all colors are visible 2) removal of xss 3) ability to see your own username (its just "you" rn) 4) dark mode
open to any and all suggestions :) my first full stack app. its cool seeing it being used
The author of the site was naughty and didn't do any sanitization :) They said they've fixed it in another comment, though.
You really think some rando that spins up a web server is significantly more trustworthy that a rando in a chat channel? Of course not, they're the same people.