messages are now sanitized for unsafe html/js using DOMPurify

chatto/src/main/resources/static/js/chat.js

@@ -125,7 +125,7 @@ function populateMessages(userName, passphrase) {
                         }
 
                         messageLogNew.push(JSON.stringify(context));
-                        $(chatAreaNew).append(msgContainer);
+                        $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));
 
 
                     });
@@ -179,7 +179,7 @@ function populateMessages(userName, passphrase) {
                             }
 
                             storedMessagesNew.push(JSON.stringify(context));
-                            $(chatAreaNew).append(msgContainer);
+                            $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));
 
                         })
                         sessionStorage.setItem(userName + '-time', lastMessageTimeStamp);
@@ -219,7 +219,7 @@ function populateMessages(userName, passphrase) {
                             msgContainer = msgContainerTemplate(context);
                         }
 
-                        $(chatAreaNew).append(msgContainer);
+                        $(chatAreaNew).append(DOMPurify.sanitize(msgContainer));
                     })
 
 

chatto/src/main/resources/templates/chat.html

@@ -14,6 +14,7 @@
     <link rel="stylesheet" th:href="@{/css/chat.css}" href="../static/css/chat.css">
 
     <script src="https://cdnjs.cloudflare.com/ajax/libs/handlebars.js/4.4.2/handlebars.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.0.3/purify.js"></script>
     <!-- <script th:src="@{js/my_Crypto.js}" type="text/javascript"></script> -->