socket.io has xss vulnerability? How to solve this?

Question

I believe socket.io has a XSS vulnerability and I am wondering how to solve this.

See my post about pubsub redis with socket.io which has a/the XSS hole.

from redis-cli when you do:

publish pubsub "<script>alert('Hello world!');</script>"

You will see an alert dialog with Hello world! which is BAD...

To solve this I copied the following snippet from visionmedia's jade library and wondering if this is enough?

/**
 * Escape the given string of `html`.
 *
 * @param {String} html
 * @return {String}
 * @api private
 */

function sanitize(html){
    return String(html)
        .replace(/&(?!\w+;)/g, '&amp;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;')
        .replace(/"/g, '&quot;');
}

Is this enough or am I missing something? Maybe even inside socket.js to solve the problem?

updated my question to the snippet on another topic which has this vulnerability. — Alfred, Jan 16 '11 at 23:55
Displaying untrusted data verbatim is an XSS vulnerability. There's nothing about this particular to socket.io. — Anon., Jan 17 '11 at 00:05
Considering this question is already the second result on Google for "socket.io escape" (and the top result for "socket.io xss"), I would guess that it doesn't. And why should it? If it automatically escaped stuff for you, that would make it unnecessarily difficult to use it to fetch HTML from trusted sources. If you want to escape stuff, do it yourself. — Anon., Jan 17 '11 at 00:11
So then my next question is how would you escape it properly using node.js/javascript? — Alfred, Jan 17 '11 at 00:14
@Alfred: Maybe people can't stand the thought of magic quotes in node :D - awww. that's actually a scary thought. would be so UGLY! — thejh, Nov 09 '11 at 22:24

score 5 · Accepted Answer · answered Mar 17 '11 at 22:42

5

There is a node-validator library which provides sanitization methods for XSS.

answered Mar 17 '11 at 22:42

yojimbo87

65,684
25
123
131

socket.io has xss vulnerability? How to solve this?

1 Answers1