- Thread starter MiiRiiCo
- Start date
Hexa Iter
New Member
Heads up, found a major issue. There are a lot of HTML tags that aren't getting sanitized if sent by chat. Including style and possibly even script.
I first started to notice it when messages with various stuff got nulled out. cases where <text is between less than greater-than signs> as well as anything that would fall behind ;.
It may be worth going for a broad method and sanitize by doing literal conversions. Such as < becoming
and so on from everything between backticks to semicolons to brackets.
At worse, a workaround may be needed for things like emojis, but the alternatives of not handling it or having to check for all valid html tags would be annoying at best, a security risk at worst. I do however see a lot of griefing potential.
example to powerwash the chat:
(left side shows that twitch's normal chat displays the text all nicely sanitized. Right shows the chat in the chat designer)
(Side note, in the chat page itself, it actually did try to load the video but failed. It displayed a broken video player which didn't show up in the designer page.)
and to show how it normally looks when it hasn't been powerwashed by the power of chat using CSS.
I can very easily imagine a scenario where someone wrote a style that would use CSS's animation ability to turn the chat into a red strobe seizure light. And that isn't even the worse of possible griefing they could do with just the style tag. If someone were to workround the issue with the img and video tags not loading that I ran into, well... I don't think I should explain the myriad of ways that would cause problems for a streamer on twitch.
As is I do not think anyone should be using this. Which sucks, because the tool is really useful! So I hope this gets addressed and fixed ASAP.
And when it does get fix I'll be back up to using it since I like I have more freedom with a local chat engine than you can get with certain 3rd party sites.
I first started to notice it when messages with various stuff got nulled out. cases where <text is between less than greater-than signs> as well as anything that would fall behind ;.
It may be worth going for a broad method and sanitize by doing literal conversions. Such as < becoming
Code:
<At worse, a workaround may be needed for things like emojis, but the alternatives of not handling it or having to check for all valid html tags would be annoying at best, a security risk at worst. I do however see a lot of griefing potential.
example to powerwash the chat:
Code:
<style>*{background: white !important; color: white !important;}</style>(Side note, in the chat page itself, it actually did try to load the video but failed. It displayed a broken video player which didn't show up in the designer page.)
and to show how it normally looks when it hasn't been powerwashed by the power of chat using CSS.
I can very easily imagine a scenario where someone wrote a style that would use CSS's animation ability to turn the chat into a red strobe seizure light. And that isn't even the worse of possible griefing they could do with just the style tag. If someone were to workround the issue with the img and video tags not loading that I ran into, well... I don't think I should explain the myriad of ways that would cause problems for a streamer on twitch.
As is I do not think anyone should be using this. Which sucks, because the tool is really useful! So I hope this gets addressed and fixed ASAP.
And when it does get fix I'll be back up to using it since I like I have more freedom with a local chat engine than you can get with certain 3rd party sites.