Dispatch chat XSS (removed / from messages) #493
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is a great catch. However, I suggest we sanitize the input in the HTML input, to catch it as early as possible. Could you move the sanitation to JavaScript instead? |
|
Sweet as I’ll make an edit today |
|
The edit has been finished the Sanitation is now within the the javaScript. I also changed it from just removing the char to encoding and added other symbols such as >, / , & and quotes since these are commonly used in injection so it now allows the user to still send the messages without erroring out like my last patch and people can now also see when someone attempts to input HTML. |
|
|
|
@xFutte Are there any other requirements? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Scripts can be run in the dispatch chat using HTML <script> tags
This code below was tested on a base qbx build with the PS-MDT and PS-Dispatch being the only modifications.
For base ox_doorlocks this code below can be pasted into the dispatch chat and it allows for teleporting
<script> $.post(`https://ox_doorlock/teleportToDoor`, JSON.stringify(1)); </script>This is one of many examples where there is a NUI in lua that is 'protected' by a single check when a user trys to run the command to open a menu but the menu call backs have no checks in it so anyone using the ps-mdt could use the dispatch chat to call NUI callbacks via JS post commands bypassing any unchecked NUI elements.
basically my change adds a function to strip the / from the HTML closing tags making invalid HTML so its likely to throw an error in the client side.