Chat with your friends!

Well, everyone was warned to not try XSS, even for testing, or they would get banned by the filters.

Am I correct @MattDESTROYER?

2 Likes

I might have succeeded :grimacing: … lol

(and then got myself banned again trying to push the limits lol)

I recommend trying some RegEx like this: <\w+.*( *on\w+ *= *('|").*('|"))+.*?.*> (case insensitive as well, gmi is what I would do) to be more successfull with catching XSS that exploits on attributes. Here’s a demo of that RegEx…

3 Likes

Hm. What if, and hear me out, I distribute an CSS injector to everyone, so then you can’t ban them all? :stuck_out_tongue:

1 Like

Try using DOMPurify or something similar rather than playing whack-a-mole but with exploits and XSS attacks.

2 Likes

or instead, just replace the following:

< <!----> &lt;
> <!----> &gt;
& <!----> &amp;
" <!----> &quot;
' <!----> &apos;
<!-- Correct me if I'm wrong -->
2 Likes

That would prevent using HTML within posts, which from what I understood was intentional, although since you can use markdown it may be pointless and worth it :man_shrugging:

5 Likes

you could either…

  1. Implement custom exceptions that manually add in the few html tags supported by MD
  2. Not use HTML in MD, and create your own standards because HTML is quite dangerous
3 Likes

For example, I tried using markdown, but the styling and the XSS filtering was kinda messed up. personally, you don’t need HTML in MD (unless you need a summary/details group, which could be easily implemented by creating your own standards or by not implementing it at all)

2 Likes

The Markdown converter Element got converts to HTML…

1 Like

By removing certain characters, you are essentially making your users have to guess what the XSS filter will do with the message. For example, transferring code snippets would be impossible due to the removal of certain characters.

3 Likes

At the time, I didn’t know, and still now, I don’t have much clue about it.

What do you mean by that?

@QwertyQwerty88 Also, I was looking through the code and saw this:

# Thanks to Phind

Who is Phind? @python660?

1 Like

not me, my name starts with J

1 Like

Typo

https://www.phind.com/

Not enough people know about him

4 Likes

@element1010 you should add the time posts were posted.

1 Like

Yes, I’m planning on that.

I personally prefer x {units} ago as that way you can take a screenshot without having to blur out your timezone. Perhaps you could add that too as a toggled feature?

4 Likes

I’ve added it. I can’t test it because something is down right now. Hopefully it works.

The data in the top post is outdated. Please do not refer to it.

  • API Integration: There is now a (partial) API with a (partial) Python API package at GitHub - element10101/chat-api. The docs can be found here.
  • Timestamps: There is a beta version of timestamps (beta because it has no timezone and only supports UTC time)
  • Hacker Theme: A hacker theme for people who have tipped 250+ Cycles. Planning to improve it.
  • Better Error Handling: It will rarely now stop because of an error. It might still stop since it is not Always On.

Some of the upcoming updates include emojis, better API, better timestamps, improvements to hacker theme, and more!

We also now have a new list of admins: @element1010, @QwertyQwerty88, @MiloCat, and @Darkoknight.

Please, do not use XSS, inject <link>s or <iframe>s, as 99% of the time you will be auto-banned.

A bug reported by @cldprv has also been fixed: Opening tags never closed keep on going.

Thanks to @QwertyQwerty88 for some these updates!!!

2 Likes

Hey

I never got a reply to this question :slight_smile: