XSS Vulnerability in user email

[j3soon]

Hi, I've been following the tutorial. However, I noticed that there are no email and password validations in this example. So, if we fill in the email with:

<img src="https://duckduckgo.com/assets/logo_homepage.normal.v107.svg" onload="alert('XSS Vulnerability?')">

and then create a user, all users will execute the script and pop out the alert message.

I'm wondering if the validation part was omitted on purpose for simplicity? If not, maybe I can try to implement this. (add a hook before user creation that throws an error when receiving emails in the wrong format?)

[daffl]

The best solution for now is probably to add and use a general escapeHTML in the client side examples (https://github.com/feathersjs/feathers-chat/blob/master/public/vanilla/app.js and https://github.com/feathersjs/feathers-chat/tree/master/public/jquery). A newer version of the guide will probably also add more thorough input validation.

[j3soon]

I think this fix is quite dirty, but it seems to be the simplest way before updating to the new version guide.