How to put a redirect on a xat chat page

Some background
xat is a social networking site where you can, among others, create your own chat. You can approach your chat by following a direct url in the form

http://xat.com/<your chat page name>

On this page you can customize your layout by adapting the HTML source that is given to you. However, when you try to add certain stuff like javascript, xat will filter your input and replace certain keywords. For example, if you use the word “script” anywhere in your code it will simply be replaced by “nope”. This filtering serves as a protection measure to prevent users from putting malicious code on their chat pages.

In my case, the owner wanted to redirect the chat page to a new website that he recently migrated to.

How to redirect your xat chat page to your website
One way of putting a redirect on an HTML page is by using the usual meta refresh method. However, I found out that the filter currently replaces http-equiv=”refresh” to http-equiv=”fresh”, which obviously breaks the redirect parameter value. However, the filter just replaces “re” with an empty string, which can be trivially bypassed. You just have to use http-equiv=”rerefresh”, which finally replaces it to http-equiv=”refresh”.

So the final result becomes

<meta http-equiv="rerefresh" content="0; url=http://google.com">

where of course http://google.com should represent your website where you want to redirect to. Note also that you have to put this between the head tags. The entire HTML code would then look something like this:

<html>
<head>
<meta http-equiv="rerefresh" content="0; url=http://website.com/redirect/xat_redirect.php">
</head>
<b0dy></b0dy>
</html>

Final notes
These replacements are in general a bad way of securing a website and should be avoided. As shown above, the current filter the xat developers are applying is useless and is trivially bypassed. I found also other and more advanced ways to accomplish this, but this should in essence do the trick (works on Internet Explorer, Firefox and Chrome). Note that in the future, the xat developers might decide to change the filter by which this small trick will not work anymore. You should also check the xat rules before applying any of this.

Number converter

Once in a while a man wants to convert a hexadecimal number to a decimal one, or even maybe a binary number to a decimal one. Google always helps if you ask “hex 2 bin”, but instead I decided to write an online application of my own.

The converter is implemented as very simple web page and can be found here. On the web page, on the fly conversions are possible between a decimal, hexadecimal and a binary number. So all conversions dec2hex, dec2bin, hex2dec, hex2bin, bin2dec and bin2hex are included in this basic form. See the complete junk of html and javascript code below.

<html>
<script type="text/javascript">
  function d2h(d) { return d.toString(16); };
  function h2d(h) { return parseInt(h,16); };
  function d2b(d) { return d.toString(2); };
  function b2d(b) { return parseInt(b,2); };

  function idec(d) {
    // pre: d is int
    document.cform.hex.value = d2h(parseInt(d));
    document.cform.bin.value = d2b(parseInt(d));
  };

  function ihex(h) {
  // pre: h is string
  var d = h2d(h);
  document.cform.dec.value = d;
  document.cform.bin.value = d2b(d);
  };

  function ibin(b) {
    // pre: b is string
    var d = b2d(b);
    document.cform.dec.value = d;
    document.cform.hex.value = d2h(d);
  };

</script>
<body>
<h1>Number converter</h1>
<p>Insert a decimal, hexadecimal or a binary number to convert it.</p>
<form name="cform">
Decimal: <input name="dec" onkeyup="idec(this.value)" />
Hexadecimal: <input name="hex" onkeyup="ihex(this.value)" />
Binary: <input name="bin" onkeyup="ibin(this.value)" />
</form>

</body>
</html>