from Hacker News

Show HN: Roomchat – No signup instant custom chat rooms

by nerdburn on 8/5/15, 8:36 PM with 6 comments

  • by mike-cardwell on 8/8/15, 5:21 PM

    XSS by writing the message:

      <i<script></script>mg src="#" onerror="alert(1)">
    Just stripping out tags doesn't work. Stripping out the script tags there simply ends up creating another new tag. You need to understand and implement proper escaping.

  • by timebomb on 8/5/15, 11:08 PM

    Cool! Looks like HTML injection isn't blocked whatsoever. With chat messages being loaded as people enter, it could lead to someone exploiting everyone that enters your site.

  • by nerdburn on 8/5/15, 8:49 PM

    We created this in Meteor.js, pretty fun. Great for short term chat rooms that don't need a sign up. Would love feedback!

  • by nautical on 8/5/15, 11:19 PM

    Please fix it : <IMG SRC=# onmouseover="alert('xxs')">

  • by nautical on 8/9/15, 7:27 PM

    People ... It still has XSS issues ..