XSS using chat #14

jlbribeiro · 2022-03-21T12:14:03Z

One for the backlog :)

Describe the bug
It is possible to run JavaScript on all clients by using the chat option.

To Reproduce
Steps to reproduce the behavior:

Send <script>alert('Hello World!')</script> as a chat message.
All clients display "Hello World!" as a blocking pop-up. The sending player appears to have sent an empty message (in the chat log).

Expected behavior
The text message should appear (literally) in the chat log, instead of being interpreted by the browser as code.

The text was updated successfully, but these errors were encountered:

cdot · 2022-03-21T18:44:47Z

Cool! I'll be honest, XSS vulnerabilities haven't been top of my priority list; though that really ought to be fixed.

cdot · 2022-03-21T18:59:00Z

31eed27 should close that.

jlbribeiro · 2022-03-21T19:12:59Z

@cdot I figured it was not top priority, hence why I was just adding it to the "backlog" (I really just tried it out of curiosity).

Thanks for the fix!

cdot added a commit that referenced this issue Mar 21, 2022

#14 XSS vulnerability using chat secured

31eed27

cdot closed this as completed Mar 21, 2022

cdot added the bug Something isn't working label Mar 21, 2022

Provide feedback