From: xangelo Date: Mon, 21 Aug 2023 19:52:32 +0000 (-0400) Subject: fix: xss chat input X-Git-Tag: v0.2.12~1 X-Git-Url: https://git.xangelo.ca/?a=commitdiff_plain;h=943cbc31f820a2aa92469b10b60ecea72543c141;p=risinglegends.git fix: xss chat input --- diff --git a/package-lock.json b/package-lock.json index 3a59fa9..10b4c9c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -26,7 +26,8 @@ "socket.io-client": "^4.6.1", "uuid": "^9.0.0", "webpack": "^5.84.1", - "webpack-cli": "^5.1.1" + "webpack-cli": "^5.1.1", + "xss": "^1.0.14" }, "devDependencies": { "@commitlint/cli": "^17.6.6", @@ -5993,6 +5994,11 @@ "node": ">= 8" } }, + "node_modules/cssfilter": { + "version": "0.0.10", + "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz", + "integrity": "sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==" + }, "node_modules/csv-parse": { "version": "5.4.0", "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.4.0.tgz", @@ -11837,6 +11843,21 @@ "resolved": "https://registry.npmjs.org/xorshift/-/xorshift-1.2.0.tgz", "integrity": "sha512-iYgNnGyeeJ4t6U11NpA/QiKy+PXn5Aa3Azg5qkwIFz1tBLllQrjjsk9yzD7IAK0naNU4JxdeDgqW9ov4u/hc4g==" }, + "node_modules/xss": { + "version": "1.0.14", + "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.14.tgz", + "integrity": "sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==", + "dependencies": { + "commander": "^2.20.3", + "cssfilter": "0.0.10" + }, + "bin": { + "xss": "bin/xss" + }, + "engines": { + "node": ">= 0.10.0" + } + }, "node_modules/xtend": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", @@ -16386,6 +16407,11 @@ "which": "^2.0.1" } }, + "cssfilter": { + "version": "0.0.10", + "resolved": "https://registry.npmjs.org/cssfilter/-/cssfilter-0.0.10.tgz", + "integrity": "sha512-FAaLDaplstoRsDR8XGYH51znUN0UY7nMc6Z9/fvE8EXGwvJE9hu7W2vHwx1+bd6gCYnln9nLbzxFTrcO9YQDZw==" + }, "csv-parse": { "version": "5.4.0", "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-5.4.0.tgz", @@ -20698,6 +20724,15 @@ "resolved": "https://registry.npmjs.org/xorshift/-/xorshift-1.2.0.tgz", "integrity": "sha512-iYgNnGyeeJ4t6U11NpA/QiKy+PXn5Aa3Azg5qkwIFz1tBLllQrjjsk9yzD7IAK0naNU4JxdeDgqW9ov4u/hc4g==" }, + "xss": { + "version": "1.0.14", + "resolved": "https://registry.npmjs.org/xss/-/xss-1.0.14.tgz", + "integrity": "sha512-og7TEJhXvn1a7kzZGQ7ETjdQVS2UfZyTlsEdDOqvQF7GoxNfY+0YLCzBy1kPdsDDx4QuNAonQPddpsn6Xl/7sw==", + "requires": { + "commander": "^2.20.3", + "cssfilter": "0.0.10" + } + }, "xtend": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", diff --git a/package.json b/package.json index b651e63..39016a4 100644 --- a/package.json +++ b/package.json @@ -60,7 +60,8 @@ "socket.io-client": "^4.6.1", "uuid": "^9.0.0", "webpack": "^5.84.1", - "webpack-cli": "^5.1.1" + "webpack-cli": "^5.1.1", + "xss": "^1.0.14" }, "nodemonConfig": { "ignore": [ diff --git a/src/server/api.ts b/src/server/api.ts index 5c6a558..d8296fc 100644 --- a/src/server/api.ts +++ b/src/server/api.ts @@ -4,6 +4,7 @@ import { config as dotenv } from 'dotenv'; import { join } from 'path'; import express, {Request, Response} from 'express'; import bodyParser from 'body-parser'; +import xss from 'xss'; import http from 'http'; import { Server, Socket } from 'socket.io'; @@ -415,7 +416,7 @@ app.post('/chat', authEndpoint, async (req: AuthRequest, res: Response) => { } } else { - message = broadcastMessage(req.player.username, msg); + message = broadcastMessage(req.player.username, xss(msg)); chatHistory.push(message); chatHistory.slice(-10); }