Tested version: latest

Steps to reproduce the vulnerability:

• Login in the application.
• Click on Add a Private task.
• Set "<script>alert(document.domain)</script> as task description and save.
• XSS will fire whenever task is reflected in page.

Tested version: latest

Steps to reproduce the vulnerability:

• Login in the application.
• Click on Channels.
• Click on Add a new channel.
• Fill all the possible fields with payload "<script>alert(document.domain)</script> and save.
• XSS will fire whenever user info is reflected in page.

First of all congratulation for such a job. As far as I understood, data is stored under database directory. I wonder how to integrate remote database (SQL or NoSQL) to this project.

You should store passwords using some modern hash algorithms like bcrypt.

I have a question about schema

I know that I can send AJAX request from front-end like:

var user = {email: '[email protected]', password: '1234'};
AJAX('POST /api/login/', user, function(response) {...});

and I know that this request will responsed by something in back-end like:

F.route('/api/login/', json_exec, ['*Login', 'post', 'unauthorize']);
function json_exec(id) {
        this.id = id;
	this.$workflow('exec', this.callback());
}

note: login is a schema that has email and password fields (like user variable that sends from front-end)

now, my question is how can I do same thing from back-end (instead of sending AJAX request), for example when user type some url like: "http://mysite/{email}/{password}" in browser's url bar the same thing happend (when user sends that AJAX from front-end)
now, I know that I should first write this code:

F.route('/{email}/{password}', me, ['unauthorize']);
function me(email, password){	
        this.$workflow('exec', this.callback()); // I wanna the same thing like func() function and then get the result(in this $workflow I have SUCCESS(true) at the                                                                                         // end  ) then show a new html page based on result
        //an else if lines of code to show new html page based on result of above (this.view('...'))
}

note: and this is login schema:

NEWSCHEMA('Login').make(function(schema) {

	schema.define('email', 'Email', true);
	schema.define('password', 'String(30)', true);

	schema.addWorkflow('exec', function(error, model, options, callback, controller) {
		var user = F.global.users.findItem('email', model.email);
		if (user && user.password == model.password.sha1()) {
			if (user.blocked)
				error.push('error-user-blocked');
			else {
				controller.cookie(F.config.cookie, F.encrypt(user.id + '|' + controller.ip + '|' + F.datetime.getTime()), '1 month');
				NOSQL('users').counter.hit('all').hit(user.id);
			}
		} else
			error.push('error-user-credentials');
		callback(SUCCESS(true));
	});
)}

thank you

Hello, i need to add registration form for making accounts, how i can make it?

i have setup the messenger in SuperAdmin to work with ssl. unfortunately the login page does not load as it does in http correctly . do I miss some configuration at this point it seems that the framework is not loaded correctly through ssl.

When I set up a new PFP it doesn't save into a database and it shows as a broken image icon. Please help!

I deployed the application into a web server, so all the data should be on that server, and not the computer.

Hi there!

Wondering if Messenger is strictly a web-app, or if there's an option to build it into a desktop application like Slack is

Tested version: latest

Steps to reproduce the vulnerability:

• Login in the application.
• Click on Direct messages.
• Click on Add a new user.
• Fill all the possible fields with payload "<script>alert(document.domain)</script> and save.
• XSS will fire whenever user info is reflected in page.