messages are now sanitized for unsafe html/js using DOMPurify

5 years ago · 08c2ec786c
2 changed files with 4 additions and 3 deletions
--- a/chatto/src/main/resources/static/js/chat.js
+++ b/chatto/src/main/resources/static/js/chat.js
@ -125,7 +125,7 @@ function populateMessages(userName, passphrase) {
                        }

                        messageLogNew.push(JSON.stringify(context));
-                        $(chatAreaNew).append(msgContainer);
+                        $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));


                    });
@ -179,7 +179,7 @@ function populateMessages(userName, passphrase) {
                            }

                            storedMessagesNew.push(JSON.stringify(context));
-                            $(chatAreaNew).append(msgContainer);
+                            $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));

                        })
                        sessionStorage.setItem(userName + '-time', lastMessageTimeStamp);
@ -219,7 +219,7 @@ function populateMessages(userName, passphrase) {
                            msgContainer = msgContainerTemplate(context);
                        }

-                        $(chatAreaNew).append(msgContainer);
+                        $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));
                    })


--- a/chatto/src/main/resources/templates/chat.html
+++ b/chatto/src/main/resources/templates/chat.html
@ -14,6 +14,7 @@
    <link rel="stylesheet" th:href="@{/css/chat.css}" href="../static/css/chat.css">

    <script src="https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.4.2/handlebars.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.0.3/purify.js"></script>
    <!-- <script th:src="@{js/my_Crypto.js}" type="text/javascript"></script> -->