Dispatch chat XSS (removed / from messages) #493
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scripts can be run in the dispatch chat using HTML <script> tags
This code below was tested on a base qbx build with the PS-MDT and PS-Dispatch being the only modifications.
For base ox_doorlocks this code below can be pasted into the dispatch chat and it allows for teleporting
<script> $.post(`https://ox_doorlock/teleportToDoor`, JSON.stringify(1)); </script>This is one of many examples where there is a NUI in lua that is 'protected' by a single check when a user trys to run the command to open a menu but the menu call backs have no checks in it so anyone using the ps-mdt could use the dispatch chat to call NUI callbacks via JS post commands bypassing any unchecked NUI elements.
basically my change adds a function to strip the / from the HTML closing tags making invalid HTML so its likely to throw an error in the client side.