kbrsh / lock Goto Github PK
View Code? Open in Web Editor NEW:boom: self destructing messages
Home Page: http://uselock.herokuapp.com
License: MIT License
:boom: self destructing messages
Home Page: http://uselock.herokuapp.com
License: MIT License
This is a plan to start Lock from scratch, changing everything (including the name).
This will be updated as more things are added, feel free to comment on the changes.
I need to recode everything as the methods used in this just aren't efficient. :(
Hi KingPixil,
Lock is vulnerable to stored XSS, a form of code injection wherein one can execute malicious scripts into a page.
Cross-site scripting exists whenever input can be interpreted as code. In this case you simply replace {{message}}
in template.html
with the user's message without escaping the input:
var renderDel = function(message) {
return template.replace(/{{message}}/g, message);
}
Link: https://github.com/KingPixil/lock/blob/master/src/view.js#L6-L8
<div id="content">
<h3 class="centered">{{message}}</h3>
<h5 id="counter">5</h5>
</div>
Link: https://github.com/KingPixil/lock/blob/master/views/template/template.html#L22-L25
With the payload this looks as follows:
<div id="content">
<h3 class="centered"><svg onload=alert(1)></h3>
<h5 id="counter">5</h5>
</div>
The example above should open up an alert box displaying 1
.
A cross-site scripting vulnerability allows an attacker to modify the page.
A very good list of malicious payloads can be found here: http://www.xss-payloads.com/payloads.html
As mentioned before, all user input should be escaped.
Please do add a link to this repository on the webpage. Maybe an icon will do fine
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.