you stole 2 hours of my life with this site. So much fun.
After discovering that there's no XSS protection what so ever, the fun really started. I'm still sorry about that location.href='http://microsoft.com, but using a browser with JS disabled, we managed to find out how the script posts the message and were able to fix it that way.
Of course, then the "funny" people began crashing browsers using various methods.
That's when my coworker and I came up with the idea of fixing the hole by patching window.updateMessage, so everyone who was on the site when we were doing that was protected against further attempts at crashing browsers.
Now if we could have XSS protection built-in, this could really be so much fun. The "discussions" going on before the exploiting started all around were really funny.
I'm glad you enjoyed it. I didn't remove HTML/script tags from the input because it was just a mini project to learn Node.js. Now, I'm really glad I didn't because the XSS battles were fun to watch.
I'll be keeping an eye on the site during the afternoon. Only three restarts in three hours! Woo.
Nice article, and an interesting combination of technologies! Maybe it's a little bit off topic, but I had a look at http://streethoarding.com/ to see the thing in action. I like the idea and execution (it runs pretty fast; very very simple design; would be interesting to see how well it runs with a huge amount of visitors) and as curious as I am (especially regarding security), the first thing I entered was some JavaScript code. Guess what, no input sanitation :)
Yes, HTML and script tags are left as is. People are in the middle of abusing this right now. My friend has just pointed out that the whole of jQuery is at everyone's disposal, too.
Checking out your code it looks like you're just polling (not longpolling)? Instead of just holding the connection open and waiting for a new message you pass the latest message and let the client reconnect.
I use node like this (really simplified but still): http://blog.dispostable.com/instant-mail-notifications-using...
matthijs, really interesting post, and very much liked your product as well. Amazingly simple. But I couldn't see any new message indicator when I tried it out in Chrome. Has it already been put in production?
Yes it is already live, all you need to do is click the "Check for new messages" button on the inbox page and you'll be notified with a sound and the new message will be highlighted.
I just checked and made sure it is still working as it is suppose to (Firefox + Safari). Ill try Chrome as well.
this is based heavily on the node_chat app that _ry wrote as a node example. on github, fyi. i know cause ive used it myself to figure out how node does its thing.
After discovering that there's no XSS protection what so ever, the fun really started. I'm still sorry about that location.href='http://microsoft.com, but using a browser with JS disabled, we managed to find out how the script posts the message and were able to fix it that way.
Of course, then the "funny" people began crashing browsers using various methods.
That's when my coworker and I came up with the idea of fixing the hole by patching window.updateMessage, so everyone who was on the site when we were doing that was protected against further attempts at crashing browsers.
Now if we could have XSS protection built-in, this could really be so much fun. The "discussions" going on before the exploiting started all around were really funny.