-
-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Strip special chars in messages that come from users #9
Comments
Yep, take a look at |
Can you give a hint, how to access the message as a string? func (r *Room) sendMessage(mt int, st int, rec []string, a string, m interface{}) error { But i dont know how to strip the m, as m is an interface. // New Replace function not compiling, as "m" is not a string |
In your concept it is only possible to deny a message. Isnt it better to clean the message text of special chars and still send/process it. Thus "cut" special chars and prevent crossside attacks/sql injection etc.? |
Ok, i extended the core messgage.go To do it without bigger changes, the html go package has a function to escape html chars from a string. https://pkg.go.dev/html#EscapeString
|
I could break my output in html/js because the server relays messages unfiltered from user to other user e.g. "room messages" or "private messages"
So my request is: Please enable a config or a small code that strips "special chars/html/tags/javascript" from user input.
I couldnt figure out where this aspect could be implemented correctly. (Core?)
The text was updated successfully, but these errors were encountered: