Show HN: Roomchat – No signup instant custom chat rooms

19 points by nerdburn 10 years ago · 8 comments

Reader

XSS by writing the message:

  <i<script></script>mg src="#" onerror="alert(1)">

Just stripping out tags doesn't work. Stripping out the script tags there simply ends up creating another new tag. You need to understand and implement proper escaping.

timebomb 10 years ago

Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages being loaded as people enter, it could lead to someone exploiting everyone that enters your site.

nerdburnOP 10 years ago

Ha, good catch! It's just a toy at this point, but we'll fix that asap.

nerdburnOP 10 years ago

We created this in Meteor.js, pretty fun. Great for short term chat rooms that don't need a sign up. Would love feedback!

nautical 10 years ago

Please fix it : <IMG SRC=# onmouseover="alert('xxs')">

nautical 10 years ago

People ... It still has XSS issues ..

Settings

Show HN: Roomchat – No signup instant custom chat rooms

Keyboard Shortcuts