Share your repls and programming experiences

← Back to all posts
ReplChat
AJDevelopment (75)

I was bored so I made a chatting website. Credit goes to ZDev1 for the tutorial. There's also a comment in the Node.JS code saying credit goes to ZDev1.

Edit: I won't always be on the chat but I might be in the chat during my spare time. Also don't even try writing bad words when I'm gone in the chat, this is ReplChat not Discord.

ReplChat 1.1: Any message containing < will not send.

Commentshotnewtop
ZDev1 (694)

remove the + if(blah blah blah) it's buggy

AJDevelopment (75)

@ZDev1 i'll remove it if the server lags after reopening

AJDevelopment (75)

i reopened the chat servers

RobloxianGreen (7)

my chat good than that i can give link

AJDevelopment (75)

@RobloxianGreen sorry but no one wants the link

Leroy01010 (382)

Err? someone tried to do xss alerting

oignons (311)

You may want to add more bad words to the filter.

ZDev1 (694)

@oignons npm bad-words has a lot of bad words
but you can use badwords.addWords(...'some', 'bad', 'words');
I made a tutorial about how to clean the sentence of bad words.
Check it out

AJDevelopment (75)

@oignons yeah i already have some, it's the first thing you see in the code (if anyone is sensitive about bad word I might move the add words to filter up)

AJDevelopment (75)

@AJDevelopment attempting to type in summa cum laude, which is a latin graduation celebration it gets turned into summa *** laude

AJDevelopment (75)

@PDanielY yeah i turned it off to update the code

AJDevelopment (75)

@PDanielY yeah i was implementing a html check on usernames

AJDevelopment (75)

@AJDevelopment i coded in some code so that if you have any html inside your username it throws an error.

(the fricked up part is a dumb joke about how 9 year olds always say frick)

Edit: It now says Good Job You Bricked Up The Servers

PowerCoder (690)

Suggestions:

  • USE MARKDOWN instead of HTML. HTML allows XSS. (use .text instead of .html)
  • Change font style and size. The text isn't very ledgible.
  • Fix a bug where sometimes you can't scroll down.
ZDev1 (694)

@PowerCoder well... I am the creator of the chat.
he only made a credit to me
I'll add markdown

ZDev1 (694)

@PowerCoder I've just added markdown :)

AJDevelopment (75)

@ZDev1 yeah now you can use HTML and Markdown

AJDevelopment (75)

@ZDev1 but that means xss can be done

ZDev1 (694)

@AJDevelopment I'll do something in the repl

AJDevelopment (75)

@AJDevelopment i changed the code to find the < anywhere in the message

fuzzyastrocat (1284)

@AJDevelopment If you use my suggestion earlier (EDIT: and noticing that @PowerCoder said the exact same thing), you wouldn't have to block any message containing <. Just use .text(msg) instead of .html(msg) (Index.ejs, line 38) and you'll be good to go. A message like <script>alert("xss")</script> will just be the literal text not an actual script, and now people can say things like Wow, 2 < 3!. (and since you're using markdown you don't have to worry about people using html for styling, they can just use markdown for that.)

AJDevelopment (75)

@fuzzyastrocat yeah but then intead of AJDev joined the chat it's <i>AJDev joined the chat</i>

AJDevelopment (75)

@AJDevelopment that is why messages containing < wont send

fuzzyastrocat (1284)

@AJDevelopment Probably a better solution in that case then would be to find and replace all <'s and >'s on the user's message (ie, not the builtin italic ones) with &lt;'s and &gt;'s (escape them). That way you can still include those characters but it won't render as HTML.

[deleted]

There are hackers. The hackers rick rolled me. It's a good repl, but a toxic community

AJDevelopment (75)

@CarlosRosiles yeah one crashed my laptop by opening 1,293,658 tabs playing rick astley

[deleted]

@CarlosRosiles toxic rickrollers!

AJDevelopment (75)

the claim of 1,000,000 tabs is actually true, I took a picture and counted every single tab. It took 30 minutes.

proryan (20)

When I try to run it gives me this error

/home/runner/ca78g3uyqw5/index.js:32
io.emit('chat_message',<i>${time.toLocaleTimeString()}</i><br> + '<strong>' + socket.username + '</strong>: ' + filter.clean(message) + if (message === "") { alert("Empty Messages Cannot Be Sent.");});
^^

SyntaxError: Unexpected token 'if'

AJDevelopment (75)

@proryan oh ok also dont run it someone was abusing xss

proryan (20)

@AJDevelopment ok thanks for letting me know

ZDev1 (694)

Thanks for your feedback!
It's cool btw!

AJDevelopment (75)

If anyone wants to they can design a logo for ReplChat. I was going to put the Repl.It logo inside a message bubble but that would maybe be copyright infringement on Repl.it.

AJDevelopment (75)

OK, due to someone spamming too much XSS, the server will be shut down until 11:30 AM MST

Edit: Sorry behavingEffort. Also does anyone know who the XSS guy is?

Edit 2: Server is now open

Edit 3: Server is closed for Maintenance (mainly sanitization)

retronbv (101)

Make it sanitize the message before sending @AJDevelopment

AJDevelopment (75)

@retronbv yeah but people like making big text and bold, one was abusing the exploit

fuzzyastrocat (1284)

@AJDevelopment If you use .text(msg) instead of .html(msg) it should sanitize it and prevent the sizing/bold stuff from happening

AJDevelopment (75)

It seems like nobody gets it. The other people on the chat were using it responsibly, while the XSS Guy was sending scripts that open Google and close the ReplChat page repeatedly after telling everyone to use XSS only for text styling not scripting.

firefish (781)

@AJDevelopment Well the mee guy doesn't actually have an account on repl.it, well tahts' what he told me

fuzzyastrocat (1284)

@AJDevelopment Oh, ok. Yeah I'd go with @retronbv's suggestion and use markdown, it's safe and allows users to make styling stuff. I'd use http://showdownjs.com/ since it works well with nodejs.

fuzzyastrocat (1284)

@AJDevelopment Another solution would be to auto-escape all script tags included in the chat text. I don't think you can do anything harmful without script tags (correct me if I'm wrong though)

AJDevelopment (75)

@fuzzyastrocat <img src="x" onerror="alert("XSS")"/>

fuzzyastrocat (1284)

@AJDevelopment Hmm, didn't think of that. So yeah, markdown would probably be the best solution.

AJDevelopment (75)

@fuzzyastrocat i marked < and > as bad words so <i>test</i> would become itest/i

fuzzyastrocat (1284)

@AJDevelopment Heh, nice. But now math doesn't work, ie So I learned that 3x > 2x in class today loses meaning

AJDevelopment (75)

@fuzzyastrocat you could just say So I learned that 3x is greater than 2x

Jeydin21 (58)

Also, you can spam the send button and it just sends an empty message.

AJDevelopment (75)

@Jeydin21 Ok, I'll probably mark empty messages as a bad word or not allow it to be sent.

Jeydin21 (58)

One thing you should add is auto scrolling on the chat, we are forced to scroll down when the chat gets too long. But overall, good chat function!

AJDevelopment (75)

@Jeydin21 If you have Chrome you can just click on the chat log and press Space to scroll down.