Open weebi opened 3 years ago
Thanks for reporting!
Github.io is already a site for hosting arbitrary code from users, so there's no particular security issue here (you can also just create a new page on github.io yourself and link to that, and I can't stop you!).
That being said, it is slightly annoying, so any PR to fix it would be welcome =).
function editRule(axis, idx) {
var rule_span = document.getElementById('rule_' + axis + '_' + idx);
rule_span.innerHTML = ruleInput(axis,idx);
}
change this to rule_span.innerText
then on your backend you just match the regex itself against the following as sanity checks:
^[^<>]*$
^([^&]|&[a-zA-Z]+;|&#[0-9]+;|&#x[0-9A-Fa-f]+;)*$
If it does not pass both these checks it can then contain HTML syntax like tags or and-characters not belonging to and-escapes. (You should avoid creating the puzzle if it contains bad html like this)
If you for some reason cannot use innerText assignment theres a stackoverflow answer on what the alternative is: https://stackoverflow.com/a/6234804
By injecting HTML code into the Regex rule field(s), it's possible to run Javascript, modify the stylesheets and load other media in the player's browser when the page loads.
Example: https://jimbly.github.io/regex-crossword/?puzzle=eyJzaXplIjoiMSIsImF1dGhvciI6IiIsIm5hbWUiOiIiLCJ4IjpbIjxzY3JpcHQ+d2luZG93LmxvY2F0aW9uLmhyZWYgPSBcImh0dHBzOi8veW91dHUuYmUvZFF3NHc5V2dYY1FcIjwvc2NyaXB0PiJdLCJ5IjpbIi4qIl0sInoiOlsiLioiXX0=