Greasy Fork is available in English.

DH2 Fixed

Improve Diamond Hunt 2

< Feedback on DH2 Fixed

Question/comment

§
Posted: 26.02.2017

Injection attacks

My instinct is that calling msg = msg.replace without encoding the url exposes users of this script to a script injection attack.

ZorbingAuthor
§
Posted: 27.02.2017

I originally thought a simple check for a link beginning with http:// or https:// would be enough. After some checks, I spotted that links like http://"><script>alert("lol!");</script><a href=" would be enough break the chains (there are other examples for sure).

I improved the regular expression from

msg = msg.replace(/(https?:\/\/[^\s]+)/g, '<a target="_blank" href="$1">$1</a>');

to

msg = msg.replace(/(https?:\/\/[^\s"<>]+)/g, '<a target="_blank" href="$1">$1</a>');

You can check the new expression for potential leaks on sites like regexpal.com. If there are any, please tell me so I can fix them.

Thanks for helping me improving the accuracy of the script.

Post reply

Sign in to post a reply.