Greasy Fork

Injection attacks

My instinct is that calling msg = msg.replace without encoding the url exposes users of this script to a script injection attack.

I originally thought a simple check for a link beginning with http:// or https:// would be enough. After some checks, I spotted that links like http://"><script>alert("lol!");</script><a href=" would be enough break the chains (there are other examples for sure).

I improved the regular expression from

msg = msg.replace(/(https?:\/\/[^\s]+)/g, '<a target="_blank" href="$1">$1</a>');

to

msg = msg.replace(/(https?:\/\/[^\s"<>]+)/g, '<a target="_blank" href="$1">$1</a>');

You can check the new expression for potential leaks on sites like regexpal.com. If there are any, please tell me so I can fix them.

Thanks for helping me improving the accuracy of the script.