Prevent XSS

[NTVNgan]

Describe the bug

Currently we has not apply yet any protection from XSS exploit as below.

Steps to reproduce

1. Boxchat write '<img src=x onerror=alert('hi') />'
2. Broswer show alert hi beacause in code use v-html

Expected behavior

Prevent XSS

Screenshots

Device (please complete the following information)

Package version: 1.5.7

[antoine92190]

Yes I am aware of this issue, thanks for pointing it out. I will fix it shortly

[chriswalg]

you can use https://www.npmjs.com/package/dompurify to prevent xss

[chriswalg]

issue is not closed for me. I can reproduce xss.

[aerovulpe]

Hey @chriswalg, what version of vue-advanced-chat are you using?

[chriswalg]

I tested on 2.0.8 and 2.0.10

[aerovulpe]

Please share the text content you used to trigger the XSS.

I've tested with <img src=x onerror=alert('hi') /> on the demo app to verify the rendered HTML is sanitized, and it seems to be correct.

[chriswalg]

you are right, it cannot be reproduced in the large chat window in which all messages are displayed. i can only reproduce it in the small chat window.

[aerovulpe]

Please share a screenshot. Also, what do you mean by the small chat window? Thanks!

[chriswalg]

[chriswalg]

on https://vue-advanced-chat-app.netlify.app/chat is xss also reproducable.

[aerovulpe]

Hey @antoine92190, I don't think https://vue-advanced-chat-app.netlify.app/chat has been updated to the latest library version. Also, I'm not familiar with the small chat window view @chriswalg is referencing. If it's using src/components/FormatMessage/FormatMessage.vue, then it should also prevent XSS with the sanitized Markdown-generated HTML.