[CRITICAL] GvG Map - Special characters (e.g. <>) in guilds' name

mainIine / foe-helfer-extension

FoE Helfer - Extension for chromium based browsers and Firefox ;-)

https://foe-helper.com

GNU Affero General Public License v3.0

122 stars 180 forks source link

[CRITICAL] GvG Map - Special characters (e.g. <>) in guilds' name #2526

Closed Arklur closed 1 year ago

Arklur commented 1 year ago

It seems if the name of a guild includes the <> characters, the name is not shown, likely because the special characters are not escaped, become the part of the HTML itself:

Windows 10 64 Bit Chrome 106.0.5249.119 (64 bit) us1 (Arvahall) 2.11.0.0 - English

Th3C0D3R commented 1 year ago

This is really critical as it could enable XSS!

outoftheline commented 1 year ago

we need a general function to escape these chars then, because it also happens in the costcalculator (and possibly everywhere where there is a guild name, so guild expedition(?) and guild battlegrounds)

teageek commented 1 year ago

Whatever you did within the last update: It made it worse: 2022-10-24 13_58_25-Window