Fix XSS Vulnerability - DOM text reinterpreted as HTML (code scanning alert)

tridecco / game-client-web

Tridecco Game Client is a frontend application designed to support Tridecco games. It provides user interface rendering, user interaction handling, dynamic content loading, and communication with the backend server.

GNU Affero General Public License v3.0

1 stars 0 forks source link

Description:

A potential cross-site scripting (XSS) vulnerability in the handling of user input in rooms.ejs. The issue arises when user-provided values are directly used to construct URLs without proper escaping, which can lead to malicious scripts being executed.

Affected Files:

views/pages/rooms.ejs

Proposed Solution:

Use encodeURIComponent to escape user inputs before constructing URLs. This will ensure that special characters are properly encoded, preventing the execution of malicious scripts.

Tracking issue for:

[x] https://github.com/tridecco/game-client-web/security/code-scanning/1

tridecco / game-client-web