From 07ff34618d93ed1039f1fe53ed54ad7065818203 Mon Sep 17 00:00:00 2001 From: Bill Mill Date: Wed, 15 Jun 2022 22:27:10 -0400 Subject: [PATCH] correct threshold status code --- server/main.go | 5 +++-- server/templates/index.html | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/server/main.go b/server/main.go index cf3a4ff..bb6000a 100644 --- a/server/main.go +++ b/server/main.go @@ -4,6 +4,8 @@ // * check that the body contains a proper last-modified tag // * implement peer sharing and receiving // * display HTML safely (strip javascript with sanitize API maybe?) +// * the sanitize API is not yet available anywhere (6/15/22) +// * https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/sanitize#browser_compatibility // * add / to show a single board package main @@ -241,8 +243,7 @@ func (s *Spring83Server) publishBoard(w http.ResponseWriter, r *http.Request) { // than if binary.BigEndian.Uint64(key) >= keyThreshold { if err != nil || len(key) != 32 { - // the spec doesn't specify the proper return value in this case - http.Error(w, "Key greater than threshold", http.StatusBadRequest) + http.Error(w, "Key greater than threshold", http.StatusForbidden) return } } diff --git a/server/templates/index.html b/server/templates/index.html index bb6f3d7..70b996c 100644 --- a/server/templates/index.html +++ b/server/templates/index.html @@ -16,11 +16,12 @@ window.addEventListener("DOMContentLoaded", (_evt) => { }); document.querySelector("#containers").innerHTML = divs.join("\n"); - // maybe use: https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/sanitize - // to try and strip XSS/scripts? boards.forEach(board => { const container = document.querySelector(`#b${board.Key}`); const shadow = container.attachShadow({mode: 'closed'}); + + // would like to use SetHTML, which would sanitize the DOM, but it's not + // yet available. This HTML can run scripts and XSS on you shadow.innerHTML = board.Board; }); });