The webchat-tutorial from vibe-d

XSS in room.dt

http://127.0.0.1:8080/room?id=%3C/script%3E%3Cscript%3Ealert(1)%3b//&name=test
Results in:
<script src="scripts/chat.js"></script><script>connect("</script><script>alert(1);//", "test")</script>

The current escaping is not considering the outer HTML context(room.dt)
script connect(!{Json(id)}, !{Json(name)})

Indentation issue in room.dt

Hello! In room.dt, this segment adds indentation incorrectly by indenting all previous messages when the page loads:

    textarea#history(rows=20, readonly=true)
        - foreach (ln; messages)
            |= ln

When adding a new message, the indentation is not added because it is being added via JavaScript.

I would submit a pull request, but I can't figure out how to fix it since I've never used vibe.d before. Any way to remove the added indentation?

Information leakage when sending invalid percentage encoding

The server emits a stacktrace when sending an invalid percentage encoded formData POST request.
id=test&name=%&message=test

400 - Bad Request

Bad Request

Internal error information:
object.Exception@../../.dub/packages/vibe-d-0.7.31/vibe-d/source/vibe/textfilter/urlencode.d(180): invalid percent encoding
----------------
??:? pure @safe bool std.exception.enforce!(Exception, bool).enforce(bool, lazy const(char)[], immutable(char)[], ulong) [0x7cab1d]
??:? pure @safe void vibe.textfilter.urlencode.filterURLDecode!(std.array.Appender!(immutable(char)[]).Appender).filterURLDecode(ref std.array.Appender!(immutable(char)[]).Appender, const(char)[], bool) [0x7dc64c]
??:? pure @safe immutable(char)[] vibe.textfilter.urlencode.formDecode!(immutable(char)).formDecode(immutable(char)[]) [0x897953]
??:? void vibe.inet.webform.parseURLEncodedForm(immutable(char)[], ref vibe.utils.dictionarylist.DictionaryList!(immutable(char)[], true, 16uL, false).DictionaryList) [0x885d6d]
??:? bool vibe.inet.webform.parseFormData(ref vibe.utils.dictionarylist.DictionaryList!(immutable(char)[], true, 16uL, false).DictionaryList, ref vibe.utils.dictionarylist.__T14DictionaryListTS4vibe4inet7webform8FilePartVbi1Vmi0Vbi0Z.DictionaryList, immutable(char)[], vibe.core.stream.InputStream, ulong) [0x8856f0]
??:? bool vibe.http.server.handleRequest(vibe.core.stream.Stream, vibe.core.net.TCPConnection, vibe.http.server.HTTPListenInfo, ref vibe.http.server.HTTPServerSettings, ref bool) [0x80aa67]
??:? void vibe.http.server.handleHTTPConnection(vibe.core.net.TCPConnection, vibe.http.server.HTTPListenInfo) [0x808f4f]
??:? void vibe.http.server.listenHTTPPlain(vibe.http.server.HTTPServerSettings).doListen(vibe.http.server.HTTPListenInfo, bool, bool).__lambda4(vibe.core.net.TCPConnection) [0x80884c]
??:? void vibe.core.drivers.libevent2_tcp.ClientTask.execute() [0x8ac16c]
??:? void vibe.core.core.makeTaskFuncInfo!(void delegate()).makeTaskFuncInfo(ref void delegate()).callDelegate(vibe.core.core.TaskFuncInfo*) [0x75256f]
??:? void vibe.core.core.CoreTask.run() [0x84b56e]
??:? void core.thread.Fiber.run() [0x931ae7]
??:? fiber_entryPoint [0x931862]
??:? [0xffffffff]

vibe-d / webchat-tutorial Goto Github PK

webchat-tutorial's People

Contributors

Stargazers

Watchers

Forkers

webchat-tutorial's Issues

XSS in room.dt

Indentation issue in room.dt

Information leakage when sending invalid percentage encoding

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent