Strip special chars in messages that come from users

[perling1]

I could break my output in html/js because the server relays messages unfiltered from user to other user e.g. "room messages" or "private messages"

So my request is: Please enable a config or a small code that strips "special chars/html/tags/javascript" from user input.

I couldnt figure out where this aspect could be implemented correctly. (Core?)

[hewiefreeman]

Yep, take a look at core/messaging.go. I'll update the chat callbacks so it's possible to prevent the message from being sent if you return false. That way, you can inspect the message and return false if you don't like any of the characters.

[perling1]

Can you give a hint, how to access the message as a string?
I try to enhance the function sendMessage:

func (r *Room) sendMessage(mt int, st int, rec []string, a string, m interface{}) error {

But i dont know how to strip the m, as m is an interface.

// New Replace function not compiling, as "m" is not a string
outputstr := strings.Replace(m, ";", "", -1)

[perling1]

Yep, take a look at core/messaging.go. I'll update the chat callbacks so it's possible to prevent the message from being sent if you return false. That way, you can inspect the message and return false if you don't like any of the characters.

In your concept it is only possible to deny a message. Isnt it better to clean the message text of special chars and still send/process it. Thus "cut" special chars and prevent crossside attacks/sql injection etc.?

[perling1]

Ok, i extended the core messgage.go To do it without bigger changes, the html go package has a function to escape html chars from a string. https://pkg.go.dev/html#EscapeString
Now its save to show the messages to other users in html context.

import (
	"html"
)
..
// The message line 234
	outputstr := fmt.Sprintf("%v", m)
	outputstr = HTMLEscapeString(outputstr) 

	message[helpers.ServerActionRoomMessage]["m"] = outputstr