From 5a4938ef607f73e20617e4b87f7a21dfd2e17851 Mon Sep 17 00:00:00 2001 From: Mitchdev Date: Fri, 12 Apr 2024 03:17:50 +1200 Subject: [PATCH 1/2] Prevent html injection using user tag --- assets/chat/js/messages/ChatUserMessage.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/assets/chat/js/messages/ChatUserMessage.js b/assets/chat/js/messages/ChatUserMessage.js index 80aaa8c8..e97f2240 100644 --- a/assets/chat/js/messages/ChatUserMessage.js +++ b/assets/chat/js/messages/ChatUserMessage.js @@ -61,11 +61,12 @@ export default class ChatUserMessage extends ChatMessage { else if (this.slashme || this.continued) ctrl = ''; const colorFlair = usernameColorFlair(chat.flairs, this.user); - const user = `${this.buildFeatures(this.user, chat)} ${ - this.user.displayName - }`; + const user = `${this.buildFeatures(this.user, chat)} ${this.user.displayName}`; return this.wrap( `${this.buildTime()} ${user}${ctrl} ${this.buildMessageTxt( chat, From 0ea328234a59964e77c1c0a1d7066070f4fdadbc Mon Sep 17 00:00:00 2001 From: Mitchdev Date: Sat, 20 Apr 2024 23:50:16 +1200 Subject: [PATCH 2/2] use encodeUrl --- assets/chat/js/encodeUrl.js | 17 +++++++++++++++++ assets/chat/js/formatters/UrlFormatter.js | 20 +++----------------- assets/chat/js/messages/ChatUserMessage.js | 12 ++++++------ 3 files changed, 26 insertions(+), 23 deletions(-) create mode 100644 assets/chat/js/encodeUrl.js diff --git a/assets/chat/js/encodeUrl.js b/assets/chat/js/encodeUrl.js new file mode 100644 index 00000000..f6f273c3 --- /dev/null +++ b/assets/chat/js/encodeUrl.js @@ -0,0 +1,17 @@ +// stolen from angular.js +// https://github.com/angular/angular.js/blob/v1.3.14/src/ngSanitize/sanitize.js#L435 +function encodeUrl(value) { + return value + .replace(/&/g, '&') + .replace(/[\uD800-\uDBFF][\uDC00-\uDFFF]/g, (v) => { + const hi = v.charCodeAt(0); + const low = v.charCodeAt(1); + return `&#${(hi - 0xd800) * 0x400 + (low - 0xdc00) + 0x10000};`; + }) + .replace(/([^#-~| |!])/g, (v) => `&#${v.charCodeAt(0)};`) + .replace(//g, '>') + .replace(/"/g, '"'); +} + +export default encodeUrl; diff --git a/assets/chat/js/formatters/UrlFormatter.js b/assets/chat/js/formatters/UrlFormatter.js index 681b3cb6..5390236a 100644 --- a/assets/chat/js/formatters/UrlFormatter.js +++ b/assets/chat/js/formatters/UrlFormatter.js @@ -1,6 +1,7 @@ import $ from 'jquery'; import { linkregex } from '../regex'; import { HashLinkConverter } from '../hashlinkconverter'; +import encodeUrl from '../encodeUrl'; export default class UrlFormatter { constructor() { @@ -8,21 +9,6 @@ export default class UrlFormatter { this.elem = $('
'); } - // stolen from angular.js - // https://github.com/angular/angular.js/blob/v1.3.14/src/ngSanitize/sanitize.js#L435 - encodeUrl(value) { - return value - .replace(/&/g, '&') - .replace(/[\uD800-\uDBFF][\uDC00-\uDFFF]/g, (v) => { - const hi = v.charCodeAt(0); - const low = v.charCodeAt(1); - return `&#${(hi - 0xd800) * 0x400 + (low - 0xdc00) + 0x10000};`; - }) - .replace(/([^#-~| |!])/g, (v) => `&#${v.charCodeAt(0)};`) - .replace(//g, '>'); - } - format(chat, str) { if (!str) return undefined; const self = this; @@ -35,7 +21,7 @@ export default class UrlFormatter { const decodedUrl = self.elem.html(url).text(); const m = decodedUrl.match(linkregex); if (m) { - const normalizedUrl = self.encodeUrl(this.normalizeUrl(m[0])); + const normalizedUrl = encodeUrl(this.normalizeUrl(m[0])); let embedHashLink = ''; try { @@ -53,7 +39,7 @@ export default class UrlFormatter { urlText = `${urlText.slice(0, 40)}...${urlText.slice(-40)}`; } - const extra = self.encodeUrl(decodedUrl.substring(m[0].length)); + const extra = encodeUrl(decodedUrl.substring(m[0].length)); const href = `${scheme ? '' : 'http://'}${normalizedUrl}`; const embedTarget = chat.isBigscreenEmbed() ? '_top' : '_blank'; diff --git a/assets/chat/js/messages/ChatUserMessage.js b/assets/chat/js/messages/ChatUserMessage.js index e97f2240..d9befce9 100644 --- a/assets/chat/js/messages/ChatUserMessage.js +++ b/assets/chat/js/messages/ChatUserMessage.js @@ -1,3 +1,4 @@ +import encodeUrl from '../encodeUrl'; import ChatMessage from './ChatMessage'; import MessageTypes from './MessageTypes'; @@ -61,12 +62,11 @@ export default class ChatUserMessage extends ChatMessage { else if (this.slashme || this.continued) ctrl = ''; const colorFlair = usernameColorFlair(chat.flairs, this.user); - const user = `${this.buildFeatures(this.user, chat)} ${this.user.displayName}`; + const user = `${this.buildFeatures(this.user, chat)} ${ + this.user.displayName + }`; return this.wrap( `${this.buildTime()} ${user}${ctrl} ${this.buildMessageTxt( chat,