sanctuary icon indicating copy to clipboard operation
sanctuary copied to clipboard

Published 20 hours ago verified publisher icon astrosonic

Sanitize username and chat messages using DOMpurify

Open VaibhavSaini19 opened this issue 4 years ago • 4 comments

Although the fields have been sanitized, being a completely client-side code, anyone with a knack of Js knowledge can modify the code and inject malicious script back again.

VaibhavSaini19 avatar Oct 02 '20 06:10 VaibhavSaini19

Looks good to me.

Could you take a look at this? @sachin2912 @s-katte?

sure

s-katte avatar Dec 02 '20 02:12 s-katte

@VaibhavSaini19, I have gone through docs here, and as you can see, they recommend not to use {SAFE_FOR_TEMPLATES: true} unless we don't have any other options. So, aren't there any options?

s-katte avatar Dec 02 '20 03:12 s-katte

@VaibhavSaini19, I have gone through docs here, and as you can see, they recommend not to use {SAFE_FOR_TEMPLATES: true} unless we don't have any other options. So, aren't there any options?

Since we are using it to sanitizing the input given by the user instead of a custom template string, it is safe to use that attribute here

VaibhavSaini19 avatar Dec 02 '20 04:12 VaibhavSaini19

@s-katte, please state if you find https://github.com/astrosonic/sanctuary/pull/64#issuecomment-736983741 satisfactory, so that we can go ahead and merge this one as well.

gridhead avatar Dec 02 '20 05:12 gridhead