Monday, 15 July 2013

javascript - Secure Node.js chat (avoid XSS) -


I am creating a simple small chat with Node.js and socket.io

When a user sends a message to

  io.sockets.emit ('serveroverclient', {"message": message):  

The server sends the message: });

Customer displays it:

  socket.on ('serveroverclose', function (data) {$ ('# message'). + Message + '& Lt; br / & gt;';)};   

But when you & lt; Script & gt; Alert (1); & Lt; / Script & gt; , then it is executed on each client browser. >

This is a serious security flaw and I want to avoid it as much as possible. I have seen people & amp;, & lt;, & gt; And " characters, but I do not think it is enough!

How can I be 100% confident of not having an XSS vulnerability on my chat?

< / P>

Do not use .html () because basically eval <

Text is always understood as text:

  $ ('# message' Attachments ($ ("
", {text: data.message}));

No comments:

Post a Comment