Make chat example more robust against XSS etc.

clue · clue · commit 020f73f480ab · 2017-06-19T15:44:00.000+02:00
diff --git a/examples/10-eventsource.html b/examples/10-eventsource.html
@@ -2,19 +2,22 @@
 <html>
 <head>
     <meta charset="utf-8"/>
-    <title>EventSource example</title>
+    <title>EventSource Chat</title>
     <script>
-        var es = new EventSource('demo'), username = '';
+        var es = new EventSource('chat'), username = '';
         es.addEventListener('message', function(event) {
             var data = JSON.parse(event.data);
-            var $messages = document.querySelectorAll('.chat-messages')[0];
+
             var message = document.createElement('div');
-            if (data.username !== '') {
-                message.innerHTML = `<strong>${data.username}:</strong> ${data.message}`;
-            } else {
-                message.innerHTML = data.message;
+            if (data.username) {
+                var strong = document.createElement('strong');
+                strong.appendChild(document.createTextNode(data.username));
+                message.appendChild(strong);
             }
+            message.appendChild(document.createTextNode(data.message));
             message.classList.add('chat-message');
+
+            var $messages = document.querySelector('.chat-messages');
             if ($messages.childNodes.length !== 0) {
                 $messages.insertBefore(message, $messages.firstChild);
             } else {
@@ -23,31 +26,29 @@
         });
 
         document.addEventListener('DOMContentLoaded', function() {
-            var $chatForm = document.querySelectorAll('.chat-form')[0];
+            var $chatForm = document.querySelector('.chat-form');
             $chatForm.addEventListener('submit', function($event) {
                 $event.preventDefault();
-                var $input = document.querySelectorAll('.chat-form input')[0];
+                var $input = document.querySelector('.chat-form input');
                 if ($input.value.length) {
-                    fetch(`/message?message=${$input.value}&username=${username}`).then(function() {
+                    fetch('/message?message=' + encodeURIComponent($input.value) + '&username=' + encodeURIComponent(username)).then(function() {
                         $input.value = '';
                     });
                 }
             });
-        });
 
-        document.addEventListener('DOMContentLoaded', function() {
-            var $chatForm = document.querySelectorAll('.username-form')[0];
+            var $chatForm = document.querySelector('.username-form');
             $chatForm.addEventListener('submit', function($event) {
                 $event.preventDefault();
-                var $input = document.querySelectorAll('.username-form input')[0];
+                var $input = document.querySelector('.username-form input');
                 if ($input.value.length > 3) {
                     document.activeElement.blur();
                     username = $input.value;
-                    document.querySelectorAll('.chat-header')[0].innerHTML = username;
+                    document.querySelector('.chat-header').innerText = username;
                     document.body.classList.add('hide-username');
                     setTimeout(function() {
-                        document.querySelectorAll('.username-form-container')[0].style.display = 'none';
-                        document.querySelectorAll('.chat-form input')[0].focus();
+                        document.querySelector('.username-form-container').style.display = 'none';
+                        document.querySelector('.chat-form input').focus();
                     }, 800);
                 }
             });
@@ -69,7 +70,7 @@
 </div>
 <div class="username-form-container">
     <form class="username-form">
-        <input type="text" placeholder="Enter username" autofocus="">
+        <input type="text" placeholder="Enter username" autofocus>
         <button type="submit">Enter</button>
     </form>
 </div>
diff --git a/examples/10-styles.css b/examples/10-styles.css
@@ -87,6 +87,10 @@ form input {
     border-top: 1px solid #e9e9e9;
 }
 
+.chat-message strong {
+	margin-right: 0.5rem;
+}
+
 .username-form-container {
     transition: opacity 0.15s linear 0.55s;
     position: absolute;
diff --git a/examples/11-chat.php b/examples/11-chat.php
@@ -13,41 +13,45 @@
 
 $http = new React\Http\Server($socket);
 $http->on('request', function (Request $request, Response $response) use ($channel) {
-
     switch ($request->getPath()) {
         case '/':
             $response->writeHead('200', array('Content-Type' => 'text/html'));
             $response->end(file_get_contents(__DIR__ . '/10-eventsource.html'));
-            $message = array('message' => 'New person connected from '. $request->remoteAddress, 'username' => '');
-            $channel->writeMessage(json_encode($message));
+
             return;
         case '/styles.css':
             $response->writeHead('200', array('Content-Type' => 'text/css'));
             $response->end(file_get_contents(__DIR__ . '/10-styles.css'));
             return;
         case '/message':
             $query = $request->getQuery();
-            if (array_key_exists('message', $query)) {
-                $message = array('message' => htmlspecialchars($query['message']), 'username' => htmlspecialchars($query['username']));
+            if (isset($query['username'], $query['message'])) {
+                $message = array('message' => $query['message'], 'username' =>$query['username']);
                 $channel->writeMessage(json_encode($message));
             }
             $response->writeHead('201', array('Content-Type' => 'text/json'));
             $response->end();
             return;
-    }
+        case '/chat':
+            $id = $request->getHeaderLine('Last-Event-ID');
 
-    echo $request->remoteAddress . ' connected' . PHP_EOL;
+            $response->writeHead(200, array('Content-Type' => 'text/event-stream'));
+            $channel->connect($response, $id);
 
-    $headers = $request->getHeaders();
-    $id = isset($headers['Last-Event-ID']) ? $headers['Last-Event-ID'] : null;
+            $message = array('message' => 'New person connected from '. $request->remoteAddress);
+            $channel->writeMessage(json_encode($message));
 
-    $response->writeHead(200, array('Content-Type' => 'text/event-stream'));
-    $channel->connect($response, $id);
+            $response->on('close', function () use ($response, $channel, $request) {
+                $channel->disconnect($response);
 
-    $response->on('close', function () use ($response, $channel, $request) {
-        echo $request->remoteAddress . 'disconnected' . PHP_EOL;
-        $channel->disconnect($response);
-    });
+                $message = array('message' => 'Bye '. $request->remoteAddress);
+                $channel->writeMessage(json_encode($message));
+            });
+            break;
+        default:
+            $response->writeHead(404);
+            $response->end('Not Found');
+    }
 });
 
 $socket->listen(isset($argv[1]) ? $argv[1] : 0, '0.0.0.0');
