XSS in socket.io/node.js chat?

Question

Okay, so I've been trying to fix the xss on my website, all times failed. There is string called 'name' in whitch people change their name to something like <script>alert("HahS");</script> I already tried

name = name.replace(/(<|>)/g, '');

if(name.indexOf('<') !== -1){
return false;
}

All I managed to do, is fix xss on the the user who sent the xss, but for all other people logged it still pops up.

Answer 1

Don't write your own regex for this. Use encodeURIComponent(), which is the proper way to escape user input like this.

const sanitized = encodeURIComponent(name);

The trick is that you need to do this in the right place. If your name parameter is being broadcast to other clients, you need to decide where you want to escape it. Generally, it is best to do this right before the data is rendered or used in such a way that would be dangerous if not escaped.

This implies:

1. Doing it on the client, rather than on your server.
2. Doing it when the client initializes / renders, rather than when the potentially malicious user submits their name.

If you are having a hard time figuring out where the right place is, just add encodeURIComponent() everywhere you use name and work backwards (figure out where you can remove it). You will probably end up with name being double-escaped in the mean time. But that's okay for most innocent values of name and it is a better default than being open to XSS attacks.

More details:

• http://lukeplant.me.uk/blog/posts/why-escape-on-input-is-a-bad-idea/
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet