HTML and JS code injection

[deleterium]

Hi Mark!

I just noticed that it is possible to inject HTML and JS (and possible everything) sending a message to a friend. I.E.

Hi friend, a cool <a href="javascript:alert('Bad things could happen')">link</a> to you!


I think we need to process text after decryption and before to show, because there is no way to avoid a bad actor to encrypt a bad code. The server also can not process the messages because they are encrypted.

We can use safe_text = insecure_text.replace(/</g, "&lt ;").replace(/>/g, "&gt ;"); (removing space before ";"

[markszabo]

Oh, I don't know how I missed this one. Although I wouldn't go the filtering route tbh, but rather use the jquery's text() method. For example this:

$('#messages').append('<div class="msgFromMe">' + msg + '</div>');

would became:

var newdiv = $('<div class="msgFromMe"></div>');
newdiv.text(msg);
$('#messages').append(newdiv);

And the same thing in any other place where any user supplied input is displayed (e.g. messages, username).

[deleterium]

To solve this once for all I decided to add Content-Security-Policy header, not allowing inline scripts. This jQuery solution ( .text(msg) ) was applied to all times that usernames or messages are displayed, solving html injections and possibility to destroy the site layout.