Add firefox support + some XSS testing

Simyon264 · Feb 25, 2024 · d8f3acf · d8f3acf
1 parent 7b4140f
commit d8f3acf
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/SU.LorePage/Helpers.cs b/SU.LorePage/Helpers.cs
@@ -25,11 +25,23 @@ public static string GetCurrentDate()
     /// </summary>
     /// <param name="content"></param>
     /// <returns></returns>
-    public static string ParseContent(string content)
+    public static string ParseContent(string content, bool isFirefox)
     {
         // First we escape any HTML tags
         content = content.Replace("<", "&lt;");
         content = content.Replace(">", "&gt;");
+
+        // Since white-space-collapse is not supported in Firefox, we need to replace all new lines with <br> tags
+        if (isFirefox)
+        {
+            content = content.Replace("\n", "<br>");
+            // We also need to replace all double spaces with &nbsp;
+            content = content.Replace("  ", "&nbsp; ");
+            // as well as tabs
+            content = content.Replace("\t", "&nbsp;&nbsp;&nbsp;&nbsp;");
+            // This makes it mostly work, but it's not perfect agh
+            // TODO: Fix firefox support
+        }
 
         // Then we replace the placeholders
         content = content.Replace("[date]", GetCurrentDate());

diff --git a/SU.LorePage/Layout/Screen.razor b/SU.LorePage/Layout/Screen.razor
@@ -214,7 +214,8 @@
         var content = responseString.ToCharArray();
         try
         {
-            content = Helpers.ParseContent(responseString).ToCharArray();
+            var isFirefox = await JsRuntime.InvokeAsync<bool>("isFirefox");
+            content = Helpers.ParseContent(responseString, isFirefox).ToCharArray();
         }
         catch (Exception e)
         {

diff --git a/SU.LorePage/wwwroot/Resources/Debug/XSS_Test.md b/SU.LorePage/wwwroot/Resources/Debug/XSS_Test.md
@@ -0,0 +1,16 @@
+#TERMINAL_FILE
+TITLE=XSS Test
+```
+
+Testing direct XSS
+<script>alert('XSS');</script>
+
+Testing escape from color tag
+[color=red"><script>alert('XSS');</script>][/color]
+
+Button XSS test
+[button=javascript:alert('XSS');Click me]
+
+```
+
+This is a test file used to test XSS vulnerabilities. Never link to this file in any way.
diff --git a/SU.LorePage/wwwroot/index.html b/SU.LorePage/wwwroot/index.html
@@ -85,6 +85,11 @@
                 console.error(`Element with id content_${id} not found`);
             }
         }
+
+        function isFirefox() {
+            return navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
+        }
+
     </script>
 </body>