From b1056bfcef7afc20ca46c0b0c003218145d9c607 Mon Sep 17 00:00:00 2001
From: Marcel N <67131061+xLuxy@users.noreply.github.com>
Date: Wed, 8 May 2024 22:46:33 +0200
Subject: [PATCH] fix(chat): Fix escapeString (#38)
* fix(chat): Fix escapeString
* fix(chat-extended): Fix escapeString
* fix(chat): Fix another xss
* fix(chat-extended): Fix another xss
---
chat/client/html/app.js | 8 +++-----
freeroam-extended/client/html/app.js | 8 +++-----
2 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/chat/client/html/app.js b/chat/client/html/app.js
index 55674ef..96e9ee8 100644
--- a/chat/client/html/app.js
+++ b/chat/client/html/app.js
@@ -18,7 +18,7 @@ function escapeString(str) {
if (typeof str !== "string") return str;
return str
- .replace(/&/g, "&")
+ //.replace(/&/g, "&")
.replace(//g, ">")
.replace(/"/g, """)
@@ -30,8 +30,6 @@ function colorify(text) {
let m = null;
let curPos = 0;
- text = escapeString(text);
-
do {
m = /\{[A-Fa-f0-9]{3}\}|\{[A-Fa-f0-9]{6}\}/g.exec(text.substr(curPos));
@@ -180,7 +178,7 @@ function addString(text) {
highlightChat();
}
-alt.on("addString", (text) => addString(colorify(text)));
-alt.on("addMessage", (name, text) => addString("" + name + ": " + colorify(text)));
+alt.on("addString", (text) => addString(colorify(escapeString(text))));
+alt.on("addMessage", (name, text) => addString("" + escapeString(name) + ": " + colorify(escapeString(text))));
alt.on("openChat", openChat);
alt.on("closeChat", closeChat);
diff --git a/freeroam-extended/client/html/app.js b/freeroam-extended/client/html/app.js
index 04f622e..c6836c9 100644
--- a/freeroam-extended/client/html/app.js
+++ b/freeroam-extended/client/html/app.js
@@ -18,7 +18,7 @@ function escapeString(str) {
if (typeof str !== "string") return str;
return str
- .replace(/&/g, "&")
+ //.replace(/&/g, "&")
.replace(//g, ">")
.replace(/"/g, """)
@@ -26,8 +26,6 @@ function escapeString(str) {
}
function colorify(text) {
- text = escapeString(text);
-
let matches = [];
let m = null;
let curPos = 0;
@@ -235,8 +233,8 @@ function setVoiceConnectionState(state) {
el.textContent = stateText
}
-alt.on("addString", (text) => addString(colorify(text)));
-alt.on("addMessage", (name, text) => addString("" + colorify(name) + ": " + colorify(text)));
+alt.on("addString", (text) => addString(colorify(escapeString(text))));
+alt.on("addMessage", (name, text) => addString("" + colorify(escapeString(name)) + ": " + colorify(escapeString(text))));
alt.on("openChat", openChat);
alt.on("closeChat", closeChat);
alt.on("updatePlayersOnline", updatePlayersOnline);