Really? I wouldn't trust this with any form of secure communication.

https://ephchat.com/?room=%3C/title%3E%3Cimg%20src=%22http:/...

works in chat message too, just got redirected to example.com and someone's embedding an audio file using their username so I'm guessing there's just no sanitization anywhere

1. Open ephchat.

2. Click change name.

3. Paste the following contents and hit enter.

  <img src="#" onerror="javascript:void(function(setVal,sendClick,text){setVal.value=text;sendClick.click();}(document.querySelector('#chatText'),document.querySelector('#chatButton'),'hello'))"/>hi

And this is why you absolutely never trust user input.

This has been fixed. Thanks!

Nice!

Judging by the other comments, this is a good example of all the ways not to build such a system.

Where is the server source code? I'm not seeing where messages are stored/transmitted to clients?

Also https://github.com/bmmayer/ephchat/issues/2

It is a simple websockets chat using Firebase...

https://github.com/firebase/firechat

You criticized about the random code generation function. Could you explain why it is bad? Though I code, I am no expert and would really like to know.

This is the offending code: https://github.com/bmmayer/ephchat/blob/ec375c7974ea825f887f...

This is the proper way to do it (h/t @tptacek): http://sockpuppet.org/blog/2014/02/25/safely-generate-random...

mt_srand() + rand() is just hilarious. The md5(uniquid()) thing is a common randomness anti-pattern in PHP projects that needs to die in a fire.

In PHP, a very brief example of the code to achieve the proper way of generating randomness looks like the snippet I posted in the issue.

Reminds me of a little encrypted chat app I made with a friend a few weeks ago. Ours is intended for two-way communication: http://cifrachat.herokuapp.com/

This is misleading - it uses Firebase for the server! How can the OP claim that the server is not storing messages if the OP doesn't control the server?

I have no reason to trust that Firebase isn't storing the messages. Why should I?

For something a bit better, check out https://chat.echoplex.us Or description at https://echoplex.us

uhh. trivial HTML injection, "trust us" security model. lame.

This is not secure at all. I expected some kind of XMPP-OTR stuff...

Is firebase even open source? How is this anonymous? Does anyone know what data firebase collects from its users?

The text I type to the room is cached locally.