Other Software > Developer's Corner
jQuery plaintext to hyperlink issue
f0dder:
You'll probably want to hack in your handling in the cah.log.js - and you really, really, really want to be careful when dealing with user input.
The actual rendering of the text is this snippet:
--- Code: Javascript ---if (opt_allow_html) { $(node[0]).html(full_msg); } else { $(node[0]).text(full_msg); }
So a quick guess without looking at the rest of the codebase is that the user input isn't escaped, it's simply not rendered as html content. You could add escape-then-linkify to the text codepath and replace .text() with .html(), while hoping that whatever escaping method you use handles all the nasty corner cases :-)
Asudem:
You'll probably want to hack in your handling in the cah.log.js - and you really, really, really want to be careful when dealing with user input.
The actual rendering of the text is this snippet:
--- Code: Javascript ---if (opt_allow_html) { $(node[0]).html(full_msg); } else { $(node[0]).text(full_msg); }
So a quick guess without looking at the rest of the codebase is that the user input isn't escaped, it's simply not rendered as html content. You could add escape-then-linkify to the text codepath and replace .text() with .html(), while hoping that whatever escaping method you use handles all the nasty corner cases :-)
-f0dder (June 11, 2016, 06:08 AM)
--- End quote ---
Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in [timestamp]<username> message
--- End quote ---
format and the angle brackets eat the usernames!
Again thank you for pointing me in the right direction everyone! :D
f0dder:
Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in
Quote
[timestamp]<username> message
format and the angle brackets eat the usernames!-Asudem (June 11, 2016, 10:55 AM)
--- End quote ---
That's once concern - the biggest concern is security. You really don't want to execute random <script> blocks sent by malicious users :)
Asudem:
Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in
Quote
[timestamp]<username> message
format and the angle brackets eat the usernames!-Asudem (June 11, 2016, 10:55 AM)
--- End quote ---
That's once concern - the biggest concern is security. You really don't want to execute random <script> blocks sent by malicious users :)
-f0dder (June 11, 2016, 12:14 PM)
--- End quote ---
Oh no doubt that was my first though. Perhaps I'll just replace <script> tags altogether with null =P. I'm not too worried about my userbase at the moment and will brainstorm on some proper escape handling!
f0dder:
Oh no doubt that was my first though. Perhaps I'll just replace <script> tags altogether with null =P. I'm not too worried about my userbase at the moment and will brainstorm on some proper escape handling!-Asudem (June 11, 2016, 12:46 PM)
--- End quote ---
Yeah, and if people expect a standard server and have access to the standard code, they might not expect script attacks to work - and it's even less of an issue if you run a strictly private server.
Still, it's nice to Do Things Properly. And don't write your own escaping, find some existing project - there's insane corner cases, including all sorts of unicode nastyness.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version