Fix HTML injection by way of `</script>`

[minitech]

</script><b>silly page-breaking stuff</b>

in user profiles, for example. I’m unable to test this right now, but hope it’s still helpful.

[Canop]

You can't execute injected javascript because I've set the CSP header to prevent all inline javascript, whatever their origin.

But you found a way to inject some HTML and break the data structure passed to the page, so a fix is needed

Can you tell me precisely why you choose /<([/!])/g instead of specifically targeting </script ?

Note that I normally prefer security breaches to be privately brought to me (on Miaou in a private room for example) before to be publicly disclosed, to limit the exposition of my users.

Landing point: https://dystroy.org/miaou/1

[minitech]

As far as I’m aware, just escaping </script and <!-- is enough, so it could be changed to that if you want.

<!-- because of this, which doesn’t come into effect very often at all (certainly not here) but is still good to have in a generic inline JSON escaper:

<script>var x = "<!--<script>"</script><script>var y = "-->/;alert(1)//"</script>

Requires consecutive script blocks on the same line with consecutive JSON-encoded, user-provided strings, no semicolons, and no CSP. Still…