socket.io has xss vulnerability? How to solve this?

StackOverflow https://stackoverflow.com/questions/4708833

  •  11-10-2019
  •  | 
  •  

Question

I believe socket.io has a XSS vulnerability and I am wondering how to solve this.

See my post about pubsub redis with socket.io which has a/the XSS hole.

from redis-cli when you do:

publish pubsub "<script>alert('Hello world!');</script>"

You will see an alert dialog with Hello world! which is BAD...

To solve this I copied the following snippet from visionmedia's jade library and wondering if this is enough?

/**
 * Escape the given string of `html`.
 *
 * @param {String} html
 * @return {String}
 * @api private
 */

function sanitize(html){
    return String(html)
        .replace(/&(?!\w+;)/g, '&amp;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;')
        .replace(/"/g, '&quot;');
}

Is this enough or am I missing something? Maybe even inside socket.js to solve the problem?

Was it helpful?

Solution

There is a node-validator library which provides sanitization methods for XSS.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top