That’s neat. What’s the total volume per day? Are the passwords themselves being...

unlog · on June 3, 2023

Sorry, but this is not the way. It's like saying, "but I am escaping my inputs on sql with my function"... instead of doing the right thing.

The equivalent code is really not that hard:

    const span = document.createElement('span')
    span.setAttribute('class', 'fi fi'+msg.cc)
    span.setAttribute('title', msg.cc)

    col1.appendChild(span)
    col1.appendChild(document.createTextNode(msg.src))

    col2.textContent = msg.proto

    let code = document.createElement('code')

    code.textContent = msg.u
    col3.appendChild(code)

    code = code.cloneNode(true)
    code.textContent = msg.p
    col4.appendChild(code)

or something in these lines.. you get the idea

mike_d · on June 2, 2023

It is escaped server side. Anything long enough to be a useful payload is trimmed.

koolba · on June 2, 2023

How short we talking?

Since there's multiple opportunities to inject code, it's possible to split out the payload across multiple fields: https://www.highseverity.com/2011/06/xss-in-confined-spaces....

Ten characters per block is enough for:

    <script>/*
    */eval(/*
    */'....'+/*
    */'....'+/*
    */'....'+/*
    ...
    */)/*
    */</script>

Best to escape everything at render time.

mike_d · on June 2, 2023

Everything is escaped server side before it is sent to the client. Shoot me an email and I will let you play with it after the HN traffic dies down.

mike_hock · on June 3, 2023

As the other comment said, just write proper code instead of going "oh but it's escaped and size-limited."

JS has sane APIs where no string is "dangerous," use them.