Alfred
Reputation: 61793
socket.io has xss vulnerability? How to solve this?
I believe socket.io has a XSS vulnerability and I am wondering how to solve this.
See my post about pubsub redis with socket.io which has a/the XSS hole.
from redis-cli when you do:
publish pubsub "<script>alert('Hello world!');</script>"
You will see an alert dialog with Hello world! which is BAD...
To solve this I copied the following snippet from visionmedia's jade library and wondering if this is enough?
/**
* Escape the given string of `html`.
*
* @param {String} html
* @return {String}
* @api private
*/
function sanitize(html){
return String(html)
.replace(/&(?!\w+;)/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"');
}
Is this enough or am I missing something? Maybe even inside socket.js to solve the problem?
Upvotes: 0
Views: 5194
Answers (1)
yojimbo87
Reputation: 68403
There is a node-validator library which provides sanitization methods for XSS.
Upvotes: 5
Related Questions
- New in Socket.io, How to prevent Socket.io client script hacking
- XSS in socket.io/node.js chat?
- Prevent XSS in Socketio
- Socket.io Security Issues
- Socket.io error handling
- Secure Node.js chat (avoid XSS)
- I made a simple chat room with sockets.io, how do I prevent XSS attacks?
- How to secure socket.io from code injection?
- Socket.io sanitize incoming data (xss)
- Socket.io socket handles