I created an ephemeral group chat app for strangers(commonroom.chat)
commonroom.chat
I created an ephemeral group chat app for strangers
https://www.commonroom.chat/
38 comments
Neat little project, but you can pass HTML tags directly into the chat! <script> doesn't seem to run, but <img> can load from external sites. Be careful!
How can I fix this? this is my first full stack app I've built and it's nice seeing users interact with the site
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc...
Edit: this focuses on script tags and other means to inject code, but most defenses also work for other injected tags
Edit: this focuses on script tags and other means to inject code, but most defenses also work for other injected tags
thank you for this resource :) going to look into that.
first time figuring out opsec !
first time figuring out opsec !
Lots of awful porn gifs spam, even from my account because there are security issues that allowed other group members to send messages with my nick
Really wanted to enjoy this, but it seemed like the room size of 5 was way too small. People would pop in and out endlessly hoping for some bustle but none seemed to be able to build.
What chat I did get really recreated the 14 year old edgelords in chatrooms experience though. Lots of porn gif spamming
What chat I did get really recreated the 14 year old edgelords in chatrooms experience though. Lots of porn gif spamming
Perhaps I might increase room limit to 10 users?
I'm trying to replicate the feeling of a hostel commonroom
I'm trying to replicate the feeling of a hostel commonroom
Beyond broken and unsuitable for public release. Take it down and fix it.
Wow. It was working great at the start before people started spamming nsfw content and injecting html and css into the page. Will be taking down the site in the morning and working on version 2. I guess from this I can say there’s some demand?
Easy fix: In your script.js in the appendMessage function do this:
const chatMessage = document.createElement("div");
chatMessage.classList.add("chat-message");
chatMessage.innerHTML = `<span class="username" style="color: ${color};">${username}:</span> `;
const userMessage = document.createElement('span');
span.innerText = message;
chatMessage.appendChild(userMessage);
chatContainer.appendChild(chatMessage);
chatContainer.scrollTop = chatContainer.scrollHeight;I love how people here actually check the source code of a website. So HN
It's unfortunate, though anything you make online now will be abused readily and should thus be hardened. By leaving it in the state it was, regular users were endangered.
Don't be dramatic, there was no danger.
Folks were spamming porn and posting your IP address to chat on your behalf. Being able to execute code in someone else’s browser is dangerous.
No it's not. Literally every website you visit can do that. It's called JavaScript and it's sandboxed.
You really think some rando that spins up a web server is significantly more trustworthy that a rando in a chat channel? Of course not, they're the same people.
You really think some rando that spins up a web server is significantly more trustworthy that a rando in a chat channel? Of course not, they're the same people.
You should disable gif/image rendering by default and make it opt-in, this is basically a link to porn right now and HN should take it down.
2 observations:
I couldn't figure out what my username was, I had to ask in the chat.
It's possible to embed recursive iframes, so I can see that being exploited for bad things.
Otherwise I like the idea. People in the chat were nice, but I can't help but think that soon chat rooms will be full of chatGPT bots and nobody will be any the wiser!
I couldn't figure out what my username was, I had to ask in the chat.
It's possible to embed recursive iframes, so I can see that being exploited for bad things.
Otherwise I like the idea. People in the chat were nice, but I can't help but think that soon chat rooms will be full of chatGPT bots and nobody will be any the wiser!
Thank you for the feedback!
So far from users I've heard they want:
1) username visibility fix making sure all colors are visible 2) removal of xss 3) ability to see your own username (its just "you" rn) 4) dark mode
open to any and all suggestions :) my first full stack app. its cool seeing it being used
So far from users I've heard they want:
1) username visibility fix making sure all colors are visible 2) removal of xss 3) ability to see your own username (its just "you" rn) 4) dark mode
open to any and all suggestions :) my first full stack app. its cool seeing it being used
Don't show people entering and leaving. It clutters the chat, and you don't need to be notified of people leaving as the ephemerality of this is pretty explicit. Larger group sizes to maintain coherence. sanitize your inputs because this is REALLY NSFW now
This is a great comment. Will be implementing this in the next push.
Good luck polishing things up! I had a normal (non goatse'd) session the first try. It really recaptured the early internet vibe for me... loving your idea.
<iframe src="" height=0 width=0 />
Site is susceptible to some kind of css attack. Too bad.
[deleted]
How can I fix this?
You can try escaping HTML submitted from the form. Or even simply detecting the presence of any HTML tag and rejecting such submissiobs with a friendly error message.
ah yes! i will do this in the next version. someone recomended leaving some of the xss elements like the image and video function with the old school chat vibes but I'm not sure what to do lmaooo
Old school chats and forums dealt with that with special limited markup language for formatting and embedding images or other special elements like youtube videos. Everything outside the limited markup options was treated as text with the replacement of < and > to HTML entities < and > meant to display HTML special characters in text. It was called BBcode, if I recall correctly. It looked something like that:
[b]bold[/b] [i]italic[/i] [img]example.com/image.jpg[/img] [youtube]youtube.com/watch?v=someVideo[/youtube]
[b]bold[/b] [i]italic[/i] [img]example.com/image.jpg[/img] [youtube]youtube.com/watch?v=someVideo[/youtube]
I like to use a small utility function like this and pass user input through it.
function asTextContent(input) {
const tempElement = document.createElement('span');
tempElement.textContent = input;
return tempElement.innerHTML;
}
It will let the browser handle the escaping.I was having fun, but the message feed started bugging out :(
(a lot of messages of broken images and 'meow' text)
[deleted]
Some user was able to open a browser modal with a custom message in everyones browser. Any ideas how they did that?
https://en.wikipedia.org/wiki/Cross-site_scripting
The author of the site was naughty and didn't do any sanitization :) They said they've fixed it in another comment, though.
The author of the site was naughty and didn't do any sanitization :) They said they've fixed it in another comment, though.
Someone flagged your submission