ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

jQuery plaintext to hyperlink issue

<< < (2/3) > >>

f0dder:
You'll probably want to hack in your handling in the cah.log.js - and you really, really, really want to be careful when dealing with user input.

The actual rendering of the text is this snippet:

--- Code: Javascript ---if (opt_allow_html) {    $(node[0]).html(full_msg);  } else {    $(node[0]).text(full_msg);  }
So a quick guess without looking at the rest of the codebase is that the user input isn't escaped, it's simply not rendered as html content. You could add escape-then-linkify to the text codepath and replace .text() with .html(), while hoping that whatever escaping method you use handles all the nasty corner cases :-)

Asudem:
You'll probably want to hack in your handling in the cah.log.js - and you really, really, really want to be careful when dealing with user input.

The actual rendering of the text is this snippet:

--- Code: Javascript ---if (opt_allow_html) {    $(node[0]).html(full_msg);  } else {    $(node[0]).text(full_msg);  }
So a quick guess without looking at the rest of the codebase is that the user input isn't escaped, it's simply not rendered as html content. You could add escape-then-linkify to the text codepath and replace .text() with .html(), while hoping that whatever escaping method you use handles all the nasty corner cases :-)
-f0dder (June 11, 2016, 06:08 AM)
--- End quote ---

Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in [timestamp]<username> message
--- End quote ---
format and the angle brackets eat the usernames!

Again thank you for pointing me in the right direction everyone!  :D

f0dder:
Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in
Quote

    [timestamp]<username> message

format and the angle brackets eat the usernames!-Asudem (June 11, 2016, 10:55 AM)
--- End quote ---
That's once concern - the biggest concern is security. You really don't want to execute random <script> blocks sent by malicious users :)

Asudem:
Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in
Quote

    [timestamp]<username> message

format and the angle brackets eat the usernames!-Asudem (June 11, 2016, 10:55 AM)
--- End quote ---
That's once concern - the biggest concern is security. You really don't want to execute random <script> blocks sent by malicious users :)
-f0dder (June 11, 2016, 12:14 PM)
--- End quote ---
Oh no doubt that was my first though. Perhaps I'll just replace <script> tags altogether with null =P. I'm not too worried about my userbase at the moment and will brainstorm on some proper escape handling!

f0dder:
Oh no doubt that was my first though. Perhaps I'll just replace <script> tags altogether with null =P. I'm not too worried about my userbase at the moment and will brainstorm on some proper escape handling!-Asudem (June 11, 2016, 12:46 PM)
--- End quote ---
Yeah, and if people expect a standard server and have access to the standard code, they might not expect script attacks to work - and it's even less of an issue if you run a strictly private server.

Still, it's nice to Do Things Properly. And don't write your own escaping, find some existing project - there's insane corner cases, including all sorts of unicode nastyness.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version