MrMebelMan
commented
3 years ago Oh, I figured it out, I forgot to sanitize stdin. Embeds are now fixed as well.
Closed MrMebelMan closed 3 years ago
MrMebelMan
commented
3 years ago Oh, I figured it out, I forgot to sanitize stdin. Embeds are now fixed as well.
KoltesDigital
commented
3 years ago Hi!
Thanks for your interest and for finding that! I'm surprised, that's security 101... grrr my bad.
While your solution works, I prefer to avoid adding a new function, which may itself lead to other security issues... when the browser can already handle it: elements have a textContent property which sanitizes inputs. I should have used it from the start, I somehow forgot to follow the source of log messages. I therefore used it instead as of 451dee9850ed079013fcf18188f4f21226254876.
Too bad because I think live Rick Rolling could be an emerging discipline!
MrMebelMan
commented
3 years ago Nice! TIL about textContent 😆
Hi, I've found this bug by trying to print the active players using
Players are represented in this format:
<h1 - play>,<jb - jbass>, and atom thinks it's an HTML markup, so the output was messed up:You can also do other silly things with it ofc
This PR fixes the printing of Player objects, but you can still embed code... I gues this is Atom's issue?