Javascript api security when sending messages

Hi
When I am sending messages using cometchat messages are going through https://apiclient-us.cometchat.io/v2.0/messages. If the hacker uses it and sending messages, messages are going without encoding like script tags html tags. How can we prevent it.

You can use our XSS Filter extension to sanitize the message at the receiver’s end.

1 Like

Right now we have implemented the XSS Filter extention to sanitize the data. In Meta data, data is coming with xss-filter with hasXSS and sanitized_text.

But when we are sending data to check the xss filter by using network settings, data is going to room and when fetched data, it doesn’t look like xss-filter is working. The received data in xss filter is showing hasXSS: No . Screenshot attached for reference

If you send a message:
<iframe>Hi!</iframe><script>alert('Hello!')</script>
gets converted to &lt;iframe&gt;Hi!&lt;/iframe&gt;&lt;script&gt;alert('Hello!')&lt;/script&gt;
and hasXSS: "yes"


If you send a message:
Hello
gets converted toHello (that is no change)
and hasXSS: "no"

When displaying the message in the message bubble, you need to pick the sanitized_text .

I hope that helps.