you stole 2 hours of my life with this site. So much fun.
After discovering that there's no XSS protection what so ever, the fun really started. I'm still sorry about that location.href='http://microsoft.com, but using a browser with JS disabled, we managed to find out how the script posts the message and were able to fix it that way.
Of course, then the "funny" people began crashing browsers using various methods.
That's when my coworker and I came up with the idea of fixing the hole by patching window.updateMessage, so everyone who was on the site when we were doing that was protected against further attempts at crashing browsers.
Now if we could have XSS protection built-in, this could really be so much fun. The "discussions" going on before the exploiting started all around were really funny.
I'm glad you enjoyed it. I didn't remove HTML/script tags from the input because it was just a mini project to learn Node.js. Now, I'm really glad I didn't because the XSS battles were fun to watch.
I'll be keeping an eye on the site during the afternoon. Only three restarts in three hours! Woo.
After discovering that there's no XSS protection what so ever, the fun really started. I'm still sorry about that location.href='http://microsoft.com, but using a browser with JS disabled, we managed to find out how the script posts the message and were able to fix it that way.
Of course, then the "funny" people began crashing browsers using various methods.
That's when my coworker and I came up with the idea of fixing the hole by patching window.updateMessage, so everyone who was on the site when we were doing that was protected against further attempts at crashing browsers.
Now if we could have XSS protection built-in, this could really be so much fun. The "discussions" going on before the exploiting started all around were really funny.