fix: xss chat input
authorxangelo <me@xangelo.ca>
Mon, 21 Aug 2023 19:52:32 +0000 (15:52 -0400)
committerxangelo <me@xangelo.ca>
Mon, 21 Aug 2023 19:52:32 +0000 (15:52 -0400)
package-lock.json
package.json
src/server/api.ts

index 3a59fa940979d4a5ac9578458e4204311a9ac44f..10b4c9c219fafe1b6081eb51c5aed29fc72ff61e 100644 (file)
@@ -26,7 +26,8 @@
         "socket.io-client": "^4.6.1",
         "uuid": "^9.0.0",
         "webpack": "^5.84.1",
-        "webpack-cli": "^5.1.1"
+        "webpack-cli": "^5.1.1",
+        "xss": "^1.0.14"
       },
       "devDependencies": {
         "@commitlint/cli": "^17.6.6",
         "node": ">= 8"
       }
     },
+    "node_modules/cssfilter": {
+      "version": "0.0.10",
+      "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz",
+      "integrity": "sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw=="
+    },
     "node_modules/csv-parse": {
       "version": "5.4.0",
       "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.4.0.tgz",
       "resolved": "https://registry.npmjs.org/xorshift/-/xorshift-1.2.0.tgz",
       "integrity": "sha512-iYgNnGyeeJ4t6U11NpA/QiKy+PXn5Aa3Azg5qkwIFz1tBLllQrjjsk9yzD7IAK0naNU4JxdeDgqW9ov4u/hc4g=="
     },
+    "node_modules/xss": {
+      "version": "1.0.14",
+      "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.14.tgz",
+      "integrity": "sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==",
+      "dependencies": {
+        "commander": "^2.20.3",
+        "cssfilter": "0.0.10"
+      },
+      "bin": {
+        "xss": "bin/xss"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      }
+    },
     "node_modules/xtend": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
         "which": "^2.0.1"
       }
     },
+    "cssfilter": {
+      "version": "0.0.10",
+      "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz",
+      "integrity": "sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw=="
+    },
     "csv-parse": {
       "version": "5.4.0",
       "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.4.0.tgz",
       "resolved": "https://registry.npmjs.org/xorshift/-/xorshift-1.2.0.tgz",
       "integrity": "sha512-iYgNnGyeeJ4t6U11NpA/QiKy+PXn5Aa3Azg5qkwIFz1tBLllQrjjsk9yzD7IAK0naNU4JxdeDgqW9ov4u/hc4g=="
     },
+    "xss": {
+      "version": "1.0.14",
+      "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.14.tgz",
+      "integrity": "sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==",
+      "requires": {
+        "commander": "^2.20.3",
+        "cssfilter": "0.0.10"
+      }
+    },
     "xtend": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
index b651e635e1ed0c298623363d0e5a739d028a4fcd..39016a47c1bd8d28c095464b92aa10786b43e51f 100644 (file)
@@ -60,7 +60,8 @@
     "socket.io-client": "^4.6.1",
     "uuid": "^9.0.0",
     "webpack": "^5.84.1",
-    "webpack-cli": "^5.1.1"
+    "webpack-cli": "^5.1.1",
+    "xss": "^1.0.14"
   },
   "nodemonConfig": {
     "ignore": [
index 5c6a55842bab26224a9438648834d963a15edac7..d8296fc1de79d513619a3aea18d65bdf2d920f3a 100644 (file)
@@ -4,6 +4,7 @@ import { config as dotenv } from 'dotenv';
 import { join } from 'path';
 import express, {Request, Response} from 'express';
 import bodyParser from 'body-parser';
+import xss from 'xss';
 
 import http from 'http';
 import { Server, Socket } from 'socket.io';
@@ -415,7 +416,7 @@ app.post('/chat', authEndpoint, async (req: AuthRequest, res: Response) => {
     }
   }
   else {
-    message = broadcastMessage(req.player.username, msg);
+    message = broadcastMessage(req.player.username, xss(msg));
     chatHistory.push(message);
     chatHistory.slice(-10);
   }