Closed ZoneTwelve closed 1 year ago
Your color prop quote has " and '.
It should be:
<Eye size="50" color='red' />
Thank you for the response. But I think you missing understanding the purpose of the following code if we got users who don't understand how the code work. that might cause a Cross-Site-Scripting (XSS) in the arguments rendering process. In my thought, you should replace the String Template Iteration with another safer method.
Thank you for the clarification. I appreciate it, and I will see what I can do to address the issue.
Can you check with svelte-heros-v2@0.5.1
and let me know if it solves this issue?
Hello shinokada, I received your message, and I have written a Proof of Concept for your project svelte-heros-v2-vuln-PoC. If you want to try it yourself using the previous vulnerability, you can follow the instructions provided in my README.
I'm confident that, at the very least, it will no longer be able to execute my payload.
Description of the bug
Based on the code, I saw the rendering method is using String Template literals to process the color user just gives.
Exploit![Screenshot Exploit](https://github.com/shinokada/svelte-heros-v2/assets/20425883/3678567e-6365-474e-a487-f8ba7f2ff222)
Prove of Concept
Steps To Reproduce
Additional Information
No response