[Vulnerbability]: XSS Cross Site Scripting

[ZoneTwelve]

Description of the bug

Based on the code, I saw the rendering method is using String Template literals to process the color user just gives.

Exploit

Prove of Concept

Steps To Reproduce

1. write the XSS in the parameter, ex. color, strokeWeight, etc...
2. execute the site you are running.
3. got the alert popup

Additional Information

No response

[shinokada]

Your color prop quote has " and '.

It should be:

<Eye size="50" color='red' />

[ZoneTwelve]

Thank you for the response.
But I think you missing understanding the purpose of the following code
if we got users who don't understand how the code work.
that might cause a Cross-Site-Scripting (XSS) in the arguments rendering process.
In my thought, you should replace the String Template Iteration with another safer method.

[shinokada]

Thank you for the clarification. I appreciate it, and I will see what I can do to address the issue.

[shinokada]

Can you check with svelte-heros-v2@0.5.1 and let me know if it solves this issue?

[ZoneTwelve]

Hello shinokada, I received your message, and I have written a Proof of Concept for your project svelte-heros-v2-vuln-PoC.
If you want to try it yourself using the previous vulnerability, you can follow the instructions provided in my README.

I'm confident that, at the very least, it will no longer be able to execute my payload.