Use a whitelist for XHTML-IM elements and attributes

[linkmauve]

The current method makes it trivial to execute scripts for any attacker, e.g. by sending <img src="something" onerror="alert('Hello XSS')"/> in a room.

http://xmpp.org/extensions/xep-0071.html defines a subset of elements alongside their attributes, I highly recommend you to whitelist only those and to ignore any other element or attribute you come across.

[benlangfeld]

Thank you for the report @linkmauve. Do you think you might be able to propose a fix?

[attritionorg]

Can you confirm if this was fixed? If so, a link to the commit and/or fixing version? Also if this is related to https://github.com/candy-chat/candy/issues/498?

[benlangfeld]

No-one has yet proposed a fix.