Fix XSS v2

NellowTCS · NellowTCS · commit 3208a1408da3 · 2025-09-18T08:04:04.000Z
diff --git a/Build/src/contextMenu.js b/Build/src/contextMenu.js
@@ -206,7 +206,7 @@ export class ContextMenuManager {
       try {
         const res = await fetch(`${this.app.baseURL}/mod/${this.app.elements.roomSelect.value}?user=${encodeURIComponent(this.app.user)}`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers: this.app.getAuthHeaders(true), // Include Content-Type and auth headers
           body: JSON.stringify({
             action: 'kick',
             targetUser: this.currentMessage.user,
@@ -239,7 +239,7 @@ export class ContextMenuManager {
       try {
         const res = await fetch(`${this.app.baseURL}/mod/${this.app.elements.roomSelect.value}?user=${encodeURIComponent(this.app.user)}`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
+          headers: this.app.getAuthHeaders(true), // Include Content-Type and auth headers
           body: JSON.stringify({
             action: 'ban',
             targetUser: this.currentMessage.user,
diff --git a/Build/src/main.js b/Build/src/main.js
@@ -393,7 +393,7 @@ class HTMLChatApp {
     this.elements.welcomeDiv.innerHTML = '';
     
     // Create text node with safe content
-    const welcomeText = document.createTextNode('Welcome to HTMLChat!, ');
+    const welcomeText = document.createTextNode('Welcome to HTMLChat, ');
     const userBold = document.createElement('b');
     userBold.textContent = this.user;
     const middleText = document.createTextNode('! You are now in room ');
@@ -791,8 +791,9 @@ class HTMLChatApp {
       this.elements.roomSelect.value
     }?user=${encodeURIComponent(this.user)}`;
     try {
-      navigator.sendBeacon(url, JSON.stringify({ method: "DELETE" }));
+      await fetch(url, { method: "DELETE", keepalive: true });
     } catch (e) {
+      // Fallback: try again without awaiting in case of network issues
       fetch(url, { method: "DELETE", keepalive: true }).catch(() => {});
     }
   }
diff --git a/Build/src/messageRenderer.js b/Build/src/messageRenderer.js
@@ -17,6 +17,13 @@ export class MessageRenderer {
     div.textContent = text;
     return div.innerHTML;
   }
+
+  // Escape for attribute contexts (adds quote escaping)
+  escapeAttr(s) {
+    return this.escapeHtml(String(s))
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;');
+  }
   
   // Helper method to create lucide icons
   createIcon(iconName, options = {}) {
@@ -104,11 +111,20 @@ export class MessageRenderer {
         'b','i','em','strong','u','a','p','ul','ol','li','code',
         'pre','img','h1','h2','h3','h4','h5','h6','br','span','div'
       ],
-      ALLOWED_ATTR: ['href','src','alt','title','target','style']
+      ALLOWED_ATTR: ['href','src','alt','title','target','style','rel']
     });
 
     // 3. Convert remaining plain URLs into clickable links
-    html = html.replace(/(?<!["'>])\bhttps?:\/\/[^\s<]+/g, '<a href="$&" target="_blank" rel="noopener noreferrer" style="color:#0066cc">$&</a>');
+    html = html.replace(/(?<!["'>])\bhttps?:\/\/[^\s<]+/g, (url) => {
+      const safeHref = this.escapeAttr(url);
+      const safeText = this.escapeHtml(url);
+      return `<a href="${safeHref}" target="_blank" rel="noopener noreferrer" style="color:#0066cc">${safeText}</a>`;
+    });
+    // Defense-in-depth: sanitize again
+    html = DOMPurify.sanitize(html, {
+      ALLOWED_TAGS: ['b','i','em','strong','u','a','p','ul','ol','li','code','pre','img','h1','h2','h3','h4','h5','h6','br','span','div'],
+      ALLOWED_ATTR: ['href','src','alt','title','target','style','rel']
+    });
 
     return html;
   }
@@ -166,52 +182,52 @@ export class MessageRenderer {
       if (message.system) messageClass += ' system';
       
       let messageHtml = `
-        <div class="${messageClass}" id="${this.escapeHtml(messageId)}" 
-             data-user="${this.escapeHtml(user)}" 
-             data-time="${this.escapeHtml(time)}"
-             data-message-id="${this.escapeHtml(messageId)}">
+        <div class="${messageClass}" id="${this.escapeAttr(messageId)}"
+             data-user="${this.escapeAttr(user)}"
+             data-time="${this.escapeAttr(String(time))}"
+             data-message-id="${this.escapeAttr(messageId)}">
       `;
       
       // Add reply reference if this is a reply (before timestamp and user)
       if (replyInfo) {
         messageHtml += `
-          <div class="reply-reference" data-message-id="${this.escapeHtml(replyInfo.messageId)}">
+          <div class="reply-reference" data-message-id="${this.escapeAttr(replyInfo.messageId)}">
             ↳ Replying to ${this.escapeHtml(replyInfo.replyUser)}
           </div>
         `;
       }
       
       messageHtml += `
           <span class="time">[${this.escapeHtml(date)}]</span>
-          <span class="user${isModerator ? ' moderator' : ''}" 
-                style="color:${this.escapeHtml(color)}"
-                data-user="${this.escapeHtml(user)}">&lt;${this.escapeHtml(user)}&gt;</span>
+          <span class="user${isModerator ? ' moderator' : ''}"
+                style="color:${this.escapeAttr(color)}"
+                data-user="${this.escapeAttr(user)}">&lt;${this.escapeHtml(user)}&gt;</span>
       `;
       
       // Add the message content
       if (fileAttachment) {
         if (fileAttachment.type.startsWith('image/')) {
-          const imageUrl = this.escapeHtml(fileAttachment.url || fileAttachment.data);
-          const imageName = this.escapeHtml(fileAttachment.name);
+          const imageUrl = this.escapeAttr(fileAttachment.url || fileAttachment.data);
+          const imageName = this.escapeAttr(fileAttachment.name);
           const uploadedBy = this.escapeHtml(fileAttachment.uploadedBy || 'Unknown');
           const uploadedAt = fileAttachment.uploadedAt ? this.escapeHtml(new Date(fileAttachment.uploadedAt).toLocaleString()) : '';
           const titleText = `Uploaded by ${uploadedBy}${uploadedAt ? ' on ' + uploadedAt : ''}`;
           
           messageHtml += `
             <span class="text">
-              <img src="${imageUrl}" 
-                   alt="${imageName}" 
+              <img src="${imageUrl}"
+                   alt="${imageName}"
                    class="image-attachment clickable-image"
                    data-url="${imageUrl}"
-                   title="${this.escapeHtml(titleText)}">
+                   title="${this.escapeAttr(titleText)}">
             </span>
           `;
         } else {
           const iconName = this.getFileIconName(fileAttachment.type);
           const iconHtml = this.createIcon(iconName, { 
             style: { width: '16px', height: '16px', marginRight: '4px' }
           });
-          const fileUrl = this.escapeHtml(fileAttachment.url || fileAttachment.data);
+          const fileUrl = this.escapeAttr(fileAttachment.url || fileAttachment.data);
           const fileName = this.escapeHtml(fileAttachment.name);
           const uploadedBy = this.escapeHtml(fileAttachment.uploadedBy || 'Unknown');
           const uploadedAt = fileAttachment.uploadedAt ? this.escapeHtml(new Date(fileAttachment.uploadedAt).toLocaleString()) : '';
@@ -220,12 +236,12 @@ export class MessageRenderer {
           
           messageHtml += `
             <span class="text">
-              <a href="${fileUrl}" 
-                 ${fileAttachment.filename ? `download="${fileName}"` : 'target="_blank" rel="noopener noreferrer"'}
+              <a href="${fileUrl}"
+                 ${fileAttachment.filename ? `download="${this.escapeAttr(fileName)}"` : 'target="_blank" rel="noopener noreferrer"'}
                  class="file-attachment"
-                 title="${this.escapeHtml(titleText)}">
+                 title="${this.escapeAttr(titleText)}">
                 ${iconHtml}
-                ${fileName} (${this.escapeHtml(fileSize)})
+                ${this.escapeHtml(fileName)} (${this.escapeHtml(fileSize)})
               </a>
             </span>
           `;
diff --git a/Build/src/privateMessages.js b/Build/src/privateMessages.js
@@ -225,7 +225,7 @@ export class PrivateMessageManager {
       // Send PM to server - encode conversationId to handle special characters
       const res = await fetch(`${this.app.baseURL}/pm/${encodeURIComponent(conversationId)}?user=${encodeURIComponent(this.app.user)}`, {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
+        headers: this.app.getAuthHeaders(true), // Include Content-Type and auth headers
         body: JSON.stringify({ text: message, to: username })
       });
       
@@ -285,7 +285,9 @@ export class PrivateMessageManager {
       const conversationId = [this.app.user, username].sort().join('_');
       
       // Fetch from server - encode conversationId to handle special characters
-      const res = await fetch(`${this.app.baseURL}/pm/${encodeURIComponent(conversationId)}?user=${encodeURIComponent(this.app.user)}`);
+      const res = await fetch(`${this.app.baseURL}/pm/${encodeURIComponent(conversationId)}?user=${encodeURIComponent(this.app.user)}`, {
+        headers: this.app.getAuthHeaders(false) // No Content-Type for GET requests
+      });
       
       if (res.ok) {
         const data = await res.json();
diff --git a/Build/src/search.js b/Build/src/search.js
@@ -107,17 +107,23 @@ export class SearchManager {
       const chunkSize = 50;
       let filteredMessages = [];
       
+      // Precompute username filter needle once for performance
+      const usernameFilterNeedle = this.userFilter.checked && this.usernameFilter.value.trim() 
+        ? this.usernameFilter.value.trim().toLowerCase() 
+        : null;
+      
       for (let i = 0; i < messages.length; i += chunkSize) {
         const chunk = messages.slice(i, i + chunkSize);
         
         const chunkFiltered = chunk.filter(msg => {
-          // Text search
-          const textMatch = msg.text.toLowerCase().includes(query) || 
-                           msg.user.toLowerCase().includes(query);
+          // Text search with null-safety
+          const safeText = String(msg.text || '').toLowerCase();
+          const safeUser = String(msg.user || '').toLowerCase();
+          const textMatch = safeText.includes(query) || safeUser.includes(query);
           
           // User filter
-          if (this.userFilter.checked && this.usernameFilter.value.trim()) {
-            const userMatch = msg.user.toLowerCase().includes(this.usernameFilter.value.trim().toLowerCase());
+          if (usernameFilterNeedle) {
+            const userMatch = safeUser.includes(usernameFilterNeedle);
             return textMatch && userMatch;
           }
           
@@ -153,11 +159,11 @@ export class SearchManager {
     
     const html = messages.map((msg, index) => {
       const date = new Date(msg.time).toLocaleString();
-      const color = this.app.messageRenderer.getUserColor(msg.user);
+      const color = this.app.messageRenderer.getUserColor(msg.user || '');
       
-      // Highlight search terms
-      let highlightedText = this.highlightSearchTerms(msg.text, query);
-      let highlightedUser = this.highlightSearchTerms(msg.user, query);
+      // Highlight search terms with null-safety
+      let highlightedText = this.highlightSearchTerms(msg.text || '', query);
+      let highlightedUser = this.highlightSearchTerms(msg.user || '', query);
       
       const messageId = `msg-${msg.time}-${index}`;
       
