- Thread starter MiiRiiCo
- Start date
Hexa Iter
New Member
Heads up, found a major issue. There are a lot of HTML tags that aren't getting sanitized if sent by chat. Including style and possibly even script.
I first started to notice it when messages with various stuff got nulled out. cases where <text is between less than greater-than signs> as well as anything that would fall behind ;.
It may be worth going for a broad method and sanitize by doing literal conversions. Such as < becoming
and so on from everything between backticks to semicolons to brackets.
At worse, a workaround may be needed for things like emojis, but the alternatives of not handling it or having to check for all valid html tags would be annoying at best, a security risk at worst. I do however see a lot of griefing potential.
example to powerwash the chat:
(left side shows that twitch's normal chat displays the text all nicely sanitized. Right shows the chat in the chat designer)
(Side note, in the chat page itself, it actually did try to load the video but failed. It displayed a broken video player which didn't show up in the designer page.)
and to show how it normally looks when it hasn't been powerwashed by the power of chat using CSS.
I can very easily imagine a scenario where someone wrote a style that would use CSS's animation ability to turn the chat into a red strobe seizure light. And that isn't even the worse of possible griefing they could do with just the style tag. If someone were to workround the issue with the img and video tags not loading that I ran into, well... I don't think I should explain the myriad of ways that would cause problems for a streamer on twitch.
As is I do not think anyone should be using this. Which sucks, because the tool is really useful! So I hope this gets addressed and fixed ASAP.
And when it does get fix I'll be back up to using it since I like I have more freedom with a local chat engine than you can get with certain 3rd party sites.
I first started to notice it when messages with various stuff got nulled out. cases where <text is between less than greater-than signs> as well as anything that would fall behind ;.
It may be worth going for a broad method and sanitize by doing literal conversions. Such as < becoming
Code:
<At worse, a workaround may be needed for things like emojis, but the alternatives of not handling it or having to check for all valid html tags would be annoying at best, a security risk at worst. I do however see a lot of griefing potential.
example to powerwash the chat:
Code:
<style>*{background: white !important; color: white !important;}</style>(Side note, in the chat page itself, it actually did try to load the video but failed. It displayed a broken video player which didn't show up in the designer page.)
and to show how it normally looks when it hasn't been powerwashed by the power of chat using CSS.
I can very easily imagine a scenario where someone wrote a style that would use CSS's animation ability to turn the chat into a red strobe seizure light. And that isn't even the worse of possible griefing they could do with just the style tag. If someone were to workround the issue with the img and video tags not loading that I ran into, well... I don't think I should explain the myriad of ways that would cause problems for a streamer on twitch.
As is I do not think anyone should be using this. Which sucks, because the tool is really useful! So I hope this gets addressed and fixed ASAP.
And when it does get fix I'll be back up to using it since I like I have more freedom with a local chat engine than you can get with certain 3rd party sites.
Captain Howdy
New Member
Randomly stopped working completely for no reason. Chat messages won't even show up in browser. Gonna have to stop using this for overlays, way too janky unfortunately.
GamepadRanger
New Member
Same for me, the auth code is not working and it's impossible to get a new one. I hope this can be fixed soon.
@MiiRiiCo the auth-process is broken. the Twitchapps TMI Token Generator is Discontinued and via the Twitch Token Generator by swiftyspiffy I can get a auth-key but it doesn't work with my account or someone elses. The chat and the designer show no messages.
Can you please fix it?
Can you please fix it?
You can use that generator for a bandaid-fix:
In ChatDesigner/Script folder is a file named decompilerFinal.js open it with an editor of your choice (notepad++, or just the windows txt editor), then under headers put your authorisation token behind <Bearer > inside of the single quotation marks, then do the same for client-id, refer to pic.
Thing is, you'll have to do this again after 60 days, because I don't think TMI worked with refresh tokens? There's nothing in the script. Dunno, never looked at twitch api stuff.
Funnily enough without authorization you still could get messages from people without badges, because apparently you don't have to authorize for just the chat message.
I wish I had the motivation to rework it myself, as this isn't complicated to implement, but skimming through the scripts I saw that http responses don't get checked for answer codes and I fear there could be more work hiding underneath.
Idk how to contact Miiriico if he isn't active here or on youtube, but maybe I'll look into this if I get my own projects sorted out.
Maybe, I'm not sure about all the scripts in play here as I haven't looked into it too much yet, could be a feature of the api and the script just fails at some point where it expects some badge info without a try-catch block and poops itself.
Which... doesn't sound too reliable, but eh.