Show Real Cells window is vulnerable to xss

phetsims / gene-expression-essentials

An educational simulation about how genes work to create proteins.

GNU General Public License v3.0

4 stars 6 forks source link

Show Real Cells window is vulnerable to xss #62

Closed phet-steele closed 7 years ago

phet-steele commented 7 years ago

Run the sim with ?stringTest=xss, then click the Show Real Cells button on the third screen to be redirected. Running on current master (4/4 1:30 PM)

phet-steele commented 7 years ago

This is no doubt because of the use of HTMLText used for italicizing some strings in this window (see https://github.com/phetsims/chains/issues/3#issuecomment-291614197). @aadish is there another way to achieve italicized text without the use of HTMLText?

jonathanolson commented 7 years ago

Fixed by using RichText (which is new).