Comments (5)
Thank you for raising this issue.
I have thought of fixing it by replacing < and > characters with < and >
characters right before saving the sent message into the database, so that the
string
is safe no matter how/when/where it is rendered.
What do you think, is it elegant enough?
Original comment by [email protected]
on 3 Jan 2010 at 3:48
- Changed state: Accepted
from django-jchat.
Out of concerns of completeness I would not use such a solution. I'm assuming
you
mean replacing < and > with < and > on the server side (as in doing it client
side would be a new security issue).
Instead I would do it by not displaying user-contributed HTML what so ever on
the
client side (the templating system already does this by default) and instead
swap in
the smileys and stuff on the client side by searching through every new message
and
replacing it by the smiley image.. this should be fairly easy to do with JQuery.
Your application can't know for certain the data it gets from the DB is in fact
valid, "safe" content, since it's conceivable someone would be able to break
into the
DB without breaking into the app and then contaminate the content in the DB,
thereby
making users vulnerable to XSS attacks if the apps don't escape such data before
displaying it.
Original comment by [email protected]
on 3 Jan 2010 at 4:34
from django-jchat.
I see your point, I totally forgot about hacks like the one you mentioned,
where the
database is directly affected.
I'll be fixing this on the client side asap.
Thanks for the suggestion.
Original comment by [email protected]
on 6 Jan 2010 at 7:51
from django-jchat.
This issue was closed by revision r4.
Original comment by [email protected]
on 27 Feb 2010 at 10:18
- Changed state: Fixed
from django-jchat.
Fixed on r4, thanks for the heads up!
Original comment by [email protected]
on 27 Feb 2010 at 10:20
from django-jchat.
Related Issues (11)
- Implement connected user lists
- .
- I cannot see the message I type !!!
- Implement internationalization
- Implement other message types
- Implement AJAX Push HOT 1
- message is double or plus than one HOT 2
- When typing a message, there is a delay before it gets displayed HOT 1
- Error module jchat
- Missing CSRF token on login.html
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-jchat.