My chat app now has XSS PROTECTION!

Continuing the discussion from Chat with your friends!:

So, recently, I’ve been updating this chat app and I’ve added a few new features.

Recently, many people have been trying to hack it since we didn’t have sufficient XSS protection. Now it does. Anyone who attempts XSS will be auto-banned by our moderation bot.

Why I had to do this

I never thought anyone would want to hack it, but someone did. I’ve had to deal with hackers three times now so far. So I decided to make a few moderation bots.

What's coming next

Timestamps on messages

Extra perks for tippers

A full API

and more!


You should either have the client retrieve posts and use textContent/innerText or at the very least HTML escape the posts in the db.
What you have right now isn’t sufficient xss protection, if I was to be honest it isn’t even protection. A <script> tag isn’t the only way to use xss. I would say one of the most common is <img src="" onerror="code">
Either way you should just rewrite how the posts are displayed or escape the html because trying to plug xss with string analysis won’t really work.


On line 35 of templates/chat.html, you seem to have forgotten the .js for the source of the script file (which is causing the chat app not to function).

1 Like

No, I’m using a static hosting thing with Flask, so it’s fine.

No, I’m quite sure that’s a different bug.

1 Like

Thanks! I’ll improve the filter hopefully not too far in the future.

But you’re using a js file to define a new function
Without loading the js file, it isn’t possible to post
After executing the code in the developer console I’m able to post again

1 Like

i got banned :rofl:
i kinda sorta maybe added a rickroll redirect xss to prove my point in a post


1 Like

@element1010 you use Flask, right? Flask has a built-in XSS protection system. If you want, I can implement it

1 Like

Really? How do I implement it?

1 Like

Looks like you already knew about it.


1 Like

Someone decided to test it and got banned :stuck_out_tongue:

No need for that. I invited you to it

well so did I lol
unban me please, im white hat hacker, and i didn’t mean to cause any trouble, I’m just finding bugs in your code
and i found another flaw that allows me to unban myself but only for one request

ok i will

Please tell me in a PM/DM.

i… dont know how to create a dm
oh and thx for unbanning me btw
can I help? python flask/jinja templates are my kind of thing. here are my favorites that’s I’ve made:

You can either click on the user’s profile, then click “Message”

Or use the message section on the navigation:


yeah, that was me. I cleared the chat tho