I am creating a simple small chat with Node.js and socket.io
When a user sends a message to
io.sockets.emit ('serveroverclient', {"message": message): The server sends the message: });
Customer displays it:
socket.on ('serveroverclose', function (data) {$ ('# message'). + Message + '& Lt; br / & gt;';)}; But when you & lt; Script & gt; Alert (1); & Lt; / Script & gt; , then it is executed on each client browser. > This is a serious security flaw and I want to avoid it as much as possible. I have seen people & amp;, & lt;, & gt; And " characters, but I do not think it is enough! How can I be 100% confident of not having an XSS vulnerability on my chat?
< / P>
Do not use .html () because basically eval < Text is always understood as text:
$ ('# message' Attachments ($ ("", {text: data.message}));
No comments:
Post a Comment