Skip to content

feat(cfx-ui): allow html in connecting status #3169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(cfx-ui): allow html in connecting status #3169

wants to merge 2 commits into from

Conversation

csskroubledev
Copy link
Contributor

Goal of this PR

Add support for using HTML code in connecting status e.g. deferral.update(), like rejection status can do (deferral.done()), allowing server developers to create more customized update statuses than Adaptive Cards can provide. (excluding inputs of course).
...

How is this PR achieving the goal

PR is replacing current implementation of showing the status message, to one similar to rejection status.
...

This PR applies to the following area(s)

FiveM, RedM
...

Successfully tested on

Game builds: 3258, 3095

Platforms: Windows

Checklist

  • Code compiles and has been tested successfully.
  • Code explains itself well and/or is documented.
  • My commit message explains what the changes do and what they are for.
  • No extra compilation warnings are added by these changes.

Fixes issues

Preview

I'm attaching a PoC of my change.

image

@github-actions github-actions bot added RedM Issues/PRs related to RedM triage Needs a preliminary assessment to determine the urgency and required action labels Feb 19, 2025
@AvarianKnight
Copy link
Contributor

XSS?

@csskroubledev
Copy link
Contributor Author

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

@csskroubledev
Copy link
Contributor Author

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

Just to make sure, I have done some scenarios where an potential bad actor could abuse the HTML ability.

Code that was tested:
image

Video of checking it out:
https://streamable.com/ceo6n8

@prikolium-cfx
Copy link
Collaborator

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).

I tried using those, and in fact didn’t succeed.

Did you try the way how txAdmin format connection status message?
https://github.com/tabarra/txAdmin/blob/master/core/routes/player/checkJoin.ts#L26-L45

@csskroubledev
Copy link
Contributor Author

XSS?

I was informed that FiveM already prevents script tags from being used, an additionally html is allowed in connection rejection for a long time (used by txAdmin mostly).
I tried using those, and in fact didn’t succeed.

Did you try the way how txAdmin format connection status message? https://github.com/tabarra/txAdmin/blob/master/core/routes/player/checkJoin.ts#L26-L45

I might have a problem of understanding what do you mean by your message.
Do you want me to check if the same code that txAdmin uses the reject works for updating statuses too?

If it's about that they sanitize the ban reason, it doesn't matter because every other resource can reject the connection trying to use some XSS stuff, even though they seem to be already sanitized somewhere in between sending data from resource -> cfx-ui, which was proven by my example in #3169 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
RedM Issues/PRs related to RedM triage Needs a preliminary assessment to determine the urgency and required action
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@csskroubledev @AvarianKnight @prikolium-cfx