Project-Sloth
Dispatch chat XSS (removed / from messages)
Scripts can be run in the dispatch chat using HTML
This code below was tested on a base qbx build with the PS-MDT and PS-Dispatch being the only modifications.
For base ox_doorlocks this code below can be pasted into the dispatch chat and it allows for teleporting
This is one of many examples where there is a NUI in lua that is 'protected' by a single check when a user trys to run the command to open a menu but the menu call backs have no checks in it so anyone using the ps-mdt could use the dispatch chat to call NUI callbacks via JS post commands bypassing any unchecked NUI elements.
basically my change adds a function to strip the / from the HTML closing tags making invalid HTML so its likely to throw an error in the client side.
This is a great catch. However, I suggest we sanitize the input in the HTML input, to catch it as early as possible. Could you move the sanitation to JavaScript instead?
The edit has been finished the Sanitation is now within the the javaScript. I also changed it from just removing the char to encoding and added other symbols such as >, / , & and quotes since these are commonly used in injection so it now allows the user to still send the messages without erroring out like my last patch and people can now also see when someone attempts to input HTML.