foe-helfer-extension icon indicating copy to clipboard operation
foe-helfer-extension copied to clipboard

Published 20 hours ago verified publisher icon mainIine

[CRITICAL] GvG Map - Special characters (e.g. <>) in guilds' name

Open Arklur opened this issue 2 years ago • 3 comments

It seems if the name of a guild includes the <> characters, the name is not shown, likely because the special characters are not escaped, become the part of the HTML itself:

image

Windows 10 64 Bit Chrome 106.0.5249.119 (64 bit) us1 (Arvahall) 2.11.0.0 - English

Arklur avatar Oct 12 '22 14:10 Arklur

This is really critical as it could enable XSS!

Th3C0D3R avatar Oct 14 '22 10:10 Th3C0D3R

we need a general function to escape these chars then, because it also happens in the costcalculator (and possibly everywhere where there is a guild name, so guild expedition(?) and guild battlegrounds)

outoftheline avatar Oct 14 '22 16:10 outoftheline

Whatever you did within the last update: It made it worse: 2022-10-24 13_58_25-Window

teageek avatar Oct 24 '22 12:10 teageek