Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed missing HTML sanitization #2283

Closed
wants to merge 1 commit into from
Closed

Fixed missing HTML sanitization #2283

wants to merge 1 commit into from

Conversation

swordfishtr
Copy link
Contributor

It was possible to run arbitrary javascript from restoring a crafted teambuilder backup. Let me know if a Smogon bug report with clarification is needed.

A sample: paste the following into the backup menu and restore, the effect is immediate.

=== [<script>alert("hi i'm from an arbitrary script!");</script>] Untitled 1 ===

@swordfishtr
Fixed missing HTML sanitization (#1)
6bc0641 
It was possible to run arbitrary javascript from restoring a crafted teambuilder backup. Let me know if a Smogon bug report with clarification is needed.

A sample: paste the following into the backup menu and restore, the effect is immediate.

=== [<script>alert("hi i'm from an arbitrary script!");</script>] Untitled 1 ===
@Slayer95
Copy link
Collaborator

Slayer95 commented Sep 24, 2024
edited
Loading

Confirmed.

A tangential concern is that importing https://pokepast.es/17af0dd9b7bcc5a8 as a single team (using the URL) hangs the browser.

@swordfishtr
Copy link
Contributor Author

A tangential concern is that importing https://pokepast.es/17af0dd9b7bcc5a8 as a single team (using the URL) hangs the browser.

oh shit, oh fuck, that's caused by an unterminated while(true) look here:

pokemon-showdown-client/play.pokemonshowdown.com/js/storage.js

Line 1095 in 5512e76

j = buf.indexOf(']', i);

the stuff to do with misc is irrelevant, check the break line after those. importing so much as ] bypasses it. i'll try to fix this in another pr (good catch!)

@swordfishtr
Copy link
Contributor Author

swordfishtr commented Sep 25, 2024
edited
Loading

A tangential concern

I have a fix for this issue now but i've messed up by creating this pr from my main branch (web interface is confusing and i didn't know any better). Closing to reopen properly, sorry!

This was referenced Sep 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@swordfishtr @Slayer95