How to put a redirect on a xat chat page

Some background
xat is a social networking site where you can, among others, create your own chat. You can approach your chat by following a direct url in the form<your chat page name>

On this page you can customize your layout by adapting the HTML source that is given to you. However, when you try to add certain stuff like javascript, xat will filter your input and replace certain keywords. For example, if you use the word “script” anywhere in your code it will simply be replaced by “nope”. This filtering serves as a protection measure to prevent users from putting malicious code on their chat pages.

In my case, the owner wanted to redirect the chat page to a new website that he recently migrated to.

How to redirect your xat chat page to your website
One way of putting a redirect on an HTML page is by using the usual meta refresh method. However, I found out that the filter currently replaces http-equiv=”refresh” to http-equiv=”fresh”, which obviously breaks the redirect parameter value. However, the filter just replaces “re” with an empty string, which can be trivially bypassed. You just have to use http-equiv=”rerefresh”, which finally replaces it to http-equiv=”refresh”.

So the final result becomes

<meta http-equiv="rerefresh" content="0; url=">

where of course should represent your website where you want to redirect to. Note also that you have to put this between the head tags. The entire HTML code would then look something like this:

<meta http-equiv="rerefresh" content="0; url=">

Final notes
These replacements are in general a bad way of securing a website and should be avoided. As shown above, the current filter the xat developers are applying is useless and is trivially bypassed. I found also other and more advanced ways to accomplish this, but this should in essence do the trick (works on Internet Explorer, Firefox and Chrome). Note that in the future, the xat developers might decide to change the filter by which this small trick will not work anymore. You should also check the xat rules before applying any of this.

Leave a Reply

Your email address will not be published. Required fields are marked *