So, recently, I’ve been updating this chat app and I’ve added a few new features.
Recently, many people have been trying to hack it since we didn’t have sufficient XSS protection. Now it does. Anyone who attempts XSS will be auto-banned by our moderation bot.
Why I had to do this
I never thought anyone would want to hack it, but someone did. I’ve had to deal with hackers three times now so far. So I decided to make a few moderation bots.
You should either have the client retrieve posts and use textContent/innerText or at the very least HTML escape the posts in the db.
What you have right now isn’t sufficient xss protection, if I was to be honest it isn’t even protection. A <script> tag isn’t the only way to use xss. I would say one of the most common is <img src="" onerror="code">
Either way you should just rewrite how the posts are displayed or escape the html because trying to plug xss with string analysis won’t really work.
On line 35 of templates/chat.html, you seem to have forgotten the .js for the source of the script file (which is causing the chat app not to function).
But you’re using a js file to define a new function
Without loading the js file, it isn’t possible to post
After executing the code in the developer console I’m able to post again
well so did I lol
unban me please, im white hat hacker, and i didn’t mean to cause any trouble, I’m just finding bugs in your code
and i found another flaw that allows me to unban myself but only for one request