
My Node.js app, or, a simple explanation of asynchronicity and non-blocking IO - maryrosecook
http://www.maryrosecook.com/post/how-i-made-street-hoarding-a-node-js-and-redis-application-or-a-super-simple-explanation-of-asynchronicity-event-loops-non-blocking-io-javascript-and-node
======
pilif
you stole 2 hours of my life with this site. So much fun.

After discovering that there's no XSS protection what so ever, the fun really
started. I'm still sorry about that location.href='<http://microsoft.com>, but
using a browser with JS disabled, we managed to find out how the script posts
the message and were able to fix it that way.

Of course, then the "funny" people began crashing browsers using various
methods.

That's when my coworker and I came up with the idea of fixing the hole by
patching window.updateMessage, so everyone who was on the site when we were
doing that was protected against further attempts at crashing browsers.

Now if we could have XSS protection built-in, this could really be so much
fun. The "discussions" going on before the exploiting started all around were
really funny.

~~~
maryrosecook
I'm glad you enjoyed it. I didn't remove HTML/script tags from the input
because it was just a mini project to learn Node.js. Now, I'm really glad I
didn't because the XSS battles were fun to watch.

I'll be keeping an eye on the site during the afternoon. Only three restarts
in three hours! Woo.

------
giu
Nice article, and an interesting combination of technologies! Maybe it's a
little bit off topic, but I had a look at <http://streethoarding.com/> to see
the thing in action. I like the idea and execution (it runs pretty fast; very
very simple design; would be interesting to see how well it runs with a huge
amount of visitors) and as curious as I am (especially regarding security),
the first thing I entered was some JavaScript code. Guess what, no input
sanitation :)

~~~
maryrosecook
Yes, HTML and script tags are left as is. People are in the middle of abusing
this right now. My friend has just pointed out that the whole of jQuery is at
everyone's disposal, too.

~~~
wisty
I'm learning javascript now. Just for this site. Awesome.

------
matthijs
Checking out your code it looks like you're just polling (not longpolling)?
Instead of just holding the connection open and waiting for a new message you
pass the latest message and let the client reconnect. I use node like this
(really simplified but still): [http://blog.dispostable.com/instant-mail-
notifications-using...](http://blog.dispostable.com/instant-mail-
notifications-using-nodejs)

~~~
nishith
matthijs, really interesting post, and very much liked your product as well.
Amazingly simple. But I couldn't see any new message indicator when I tried it
out in Chrome. Has it already been put in production?

~~~
matthijs
Yes it is already live, all you need to do is click the "Check for new
messages" button on the inbox page and you'll be notified with a sound and the
new message will be highlighted.

I just checked and made sure it is still working as it is suppose to (Firefox
+ Safari). Ill try Chrome as well.

------
maryrosecook
streethoarding.com now has quite a few people posting lolcats, JS redirects,
JS alerts and random words.

~~~
gcampbell
Yes, I would recommend avoiding clicking through to it if you're worried about
potentially NSFW content.

------
siculars
this is based heavily on the node_chat app that _ry wrote as a node example.
on github, fyi. i know cause ive used it myself to figure out how node does
its thing.

~~~
maryrosecook
Yes, I copped a bunch of code from Ryan Dahl's demo chat app.

