fix(chat): Fix escapeString (#38)

* fix(chat): Fix escapeString * fix(chat-extended): Fix escapeString * fix(chat): Fix another xss * fix(chat-extended): Fix another xss
altmp · May 8, 2024 · b1056bf · b1056bf
1 parent 665edb2
commit b1056bf
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 10 deletions.
diff --git a/chat/client/html/app.js b/chat/client/html/app.js
@@ -18,7 +18,7 @@ function escapeString(str) {
   if (typeof str !== "string") return str;
 
   return str
-    .replace(/&/g, "&amp;")
+    //.replace(/&/g, "&amp;")
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
@@ -30,8 +30,6 @@ function colorify(text) {
   let m = null;
   let curPos = 0;
 
-  text = escapeString(text);
-
   do {
     m = /\{[A-Fa-f0-9]{3}\}|\{[A-Fa-f0-9]{6}\}/g.exec(text.substr(curPos));
 
@@ -180,7 +178,7 @@ function addString(text) {
   highlightChat();
 }
 
-alt.on("addString", (text) => addString(colorify(text)));
-alt.on("addMessage", (name, text) => addString("<b>" + name + ": </b>" + colorify(text)));
+alt.on("addString", (text) => addString(colorify(escapeString(text))));
+alt.on("addMessage", (name, text) => addString("<b>" + escapeString(name) + ": </b>" + colorify(escapeString(text))));
 alt.on("openChat", openChat);
 alt.on("closeChat", closeChat);
diff --git a/freeroam-extended/client/html/app.js b/freeroam-extended/client/html/app.js
@@ -18,16 +18,14 @@ function escapeString(str) {
   if (typeof str !== "string") return str;
 
   return str
-    .replace(/&/g, "&amp;")
+    //.replace(/&/g, "&amp;")
     .replace(/</g, "&lt;")
     .replace(/>/g, "&gt;")
     .replace(/"/g, "&quot;")
     .replace(/'/g, "&#39;");
 }
 
 function colorify(text) {
-  text = escapeString(text);
-
   let matches = [];
   let m = null;
   let curPos = 0;
@@ -235,8 +233,8 @@ function setVoiceConnectionState(state) {
   el.textContent = stateText
 }
 
-alt.on("addString", (text) => addString(colorify(text)));
-alt.on("addMessage", (name, text) => addString("<b>" + colorify(name) + ": </b>" + colorify(text)));
+alt.on("addString", (text) => addString(colorify(escapeString(text))));
+alt.on("addMessage", (name, text) => addString("<b>" + colorify(escapeString(name)) + ": </b>" + colorify(escapeString(text))));
 alt.on("openChat", openChat);
 alt.on("closeChat", closeChat);
 alt.on("updatePlayersOnline", updatePlayersOnline);