Skip to content

Commit

Permalink
Merge pull request #24 from PauloASilva/hotfix/WebIM-XSS
Browse files Browse the repository at this point in the history 
fix: WebIM Cross-site Scripting vulnerability
  • Loading branch information
@astaxie
astaxie authored Apr 20, 2018
2 parents 3c6e189 + 17c8b69 commit 1c696ee
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 11 deletions.
23 changes: 18 additions & 5 deletions WebIM/static/js/longpolling.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,22 +7,35 @@ var fetch = function () {
$.getJSON("/lp/fetch?lastReceived=" + lastReceived, function (data) {
if (data == null) return;
$.each(data, function (i, event) {
var li = document.createElement('li');

switch (event.Type) {
case 0: // JOIN
if (event.User == $('#uname').text()) {
$("#chatbox li").first().before("<li>You joined the chat room.</li>");
li.innerText = 'You joined the chat room.';
} else {
$("#chatbox li").first().before("<li>" + event.User + " joined the chat room.</li>");
li.innerText = event.User + ' joined the chat room.';
}
break;
case 1: // LEAVE
$("#chatbox li").first().before("<li>" + event.User + " left the chat room.</li>");
li.innerText = event.User + ' left the chat room.';
break;
case 2: // MESSAGE
$("#chatbox li").first().before("<li><b>" + event.User + "</b>: " + event.Content + "</li>");
var username = document.createElement('strong');
var content = document.createElement('span');

username.innerText = event.User;
content.innerText = event.Content;

li.appendChild(username);
li.appendChild(document.createTextNode(': '));
li.appendChild(content);

break;
}

$('#chatbox li').first().before(li);

lastReceived = event.Timestamp;
});
isWait = false;
Expand All @@ -49,4 +62,4 @@ $(document).ready(function () {
$('#sendbtn').click(function () {
postConecnt();
});
});
});
26 changes: 20 additions & 6 deletions WebIM/static/js/websocket.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,47 @@ $(document).ready(function () {
// Message received on the socket
socket.onmessage = function (event) {
var data = JSON.parse(event.data);
var li = document.createElement('li');

console.log(data);

switch (data.Type) {
case 0: // JOIN
if (data.User == $('#uname').text()) {
$("#chatbox li").first().before("<li>You joined the chat room.</li>");
li.innerText = 'You joined the chat room.';
} else {
$("#chatbox li").first().before("<li>" + data.User + " joined the chat room.</li>");
li.innerText = data.User + ' joined the chat room.';
}
break;
case 1: // LEAVE
$("#chatbox li").first().before("<li>" + data.User + " left the chat room.</li>");
li.innerText = data.User + ' left the chat room.';
break;
case 2: // MESSAGE
$("#chatbox li").first().before("<li><b>" + data.User + "</b>: " + data.Content + "</li>");
var username = document.createElement('strong');
var content = document.createElement('span');

username.innerText = data.User;
content.innerText = data.Content;

li.appendChild(username);
li.appendChild(document.createTextNode(': '));
li.appendChild(content);

break;
}

$('#chatbox li').first().before(li);
};

// Send messages.
var postConecnt = function () {
var uname = $('#uname').text();
var content = $('#sendbox').val();
socket.send(content);
$('#sendbox').val("");
$('#sendbox').val('');
}

$('#sendbtn').click(function () {
postConecnt();
});
});
});

0 comments on commit 1c696ee

Please sign in to comment.