fivem icon indicating copy to clipboard operation
fivem copied to clipboard
verified publisher icon citizenfx

feat(cfx-ui): allow html in connecting status

Open csskroubledev opened this issue 10 months ago • 6 comments

Goal of this PR

Add support for using HTML code in connecting status e.g. deferral.update(), like rejection status can do (deferral.done()), allowing server developers to create more customized update statuses than Adaptive Cards can provide. (excluding inputs of course). ...

How is this PR achieving the goal

PR is replacing current implementation of showing the status message, to one similar to rejection status. ...

This PR applies to the following area(s)

FiveM, RedM ...

Successfully tested on

Game builds: 3258, 3095

Platforms: Windows

Checklist

  • [x] Code compiles and has been tested successfully.
  • [x] Code explains itself well and/or is documented.
  • [x] My commit message explains what the changes do and what they are for.
  • [x] No extra compilation warnings are added by these changes.

Fixes issues

Preview

I'm attaching a PoC of my change.

image

csskroubledev avatar Feb 19 '25 02:02 csskroubledev

XSS?

AvarianKnight avatar Feb 19 '25 02:02 AvarianKnight

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

csskroubledev avatar Feb 19 '25 02:02 csskroubledev

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

Just to make sure, I have done some scenarios where an potential bad actor could abuse the HTML ability.

Code that was tested: image

Video of checking it out: https://streamable.com/ceo6n8

csskroubledev avatar Feb 19 '25 12:02 csskroubledev

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

Did you try the way how txAdmin format connection status message? https://github.com/tabarra/txAdmin/blob/master/core/routes/player/checkJoin.ts#L26-L45

prikolium-cfx avatar Feb 21 '25 13:02 prikolium-cfx

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly). I tried using those, and in fact didn’t succeed.

Did you try the way how txAdmin format connection status message? https://github.com/tabarra/txAdmin/blob/master/core/routes/player/checkJoin.ts#L26-L45

I might have a problem of understanding what do you mean by your message. Do you want me to check if the same code that txAdmin uses the reject works for updating statuses too?

If it's about that they sanitize the ban reason, it doesn't matter because every other resource can reject the connection trying to use some XSS stuff, even though they seem to be already sanitized somewhere in between sending data from resource -> cfx-ui, which was proven by my example in https://github.com/citizenfx/fivem/pull/3169#issuecomment-2668457095

csskroubledev avatar Feb 21 '25 13:02 csskroubledev

any progress here? would be useful tbh

salam4n avatar Jun 02 '25 15:06 salam4n