Skip to content

Commit b14135b

Browse files
rishab11250rishab11250
authored
fix(registration): prevent stored XSS in registration success message (#72)
Replace innerHTML with safe DOM methods (createTextNode + textContent) to prevent stored XSS via crafted username in the registration success flow. Also add prettier as devDependency for CI formatting compliance. Closes #57
1 parent d4dc7a9 commit b14135b

3 files changed

Lines changed: 30 additions & 2 deletions

File tree

frontend/registration.html

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,7 @@ <h1 class="page-title">Join the Leaderboard</h1>
194194
const target = document.getElementById("welcome-message");
195195
const lines = [
196196
{
197-
text: `> User record authenticated: ${name}`,
197+
text: "> User record authenticated: ",
198198
color: "var(--green-dim)",
199199
},
200200
{ text: `> Status: RANK_SYNC_PENDING`, color: "var(--amber)" },
@@ -218,7 +218,13 @@ <h1 class="page-title">Join the Leaderboard</h1>
218218
const div = document.createElement("div");
219219

220220
if (lineData.text.includes("authenticated")) {
221-
div.innerHTML = `> User record authenticated: <span style="color: var(--green)">${name}</span>`;
221+
div.appendChild(
222+
document.createTextNode("> User record authenticated: "),
223+
);
224+
const span = document.createElement("span");
225+
span.style.color = "var(--green)";
226+
span.textContent = name;
227+
div.appendChild(span);
222228
} else {
223229
div.innerText = lineData.text;
224230
if (lineData.color) div.style.color = lineData.color;

package-lock.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,8 @@
2222
"axios": "^1.10.0",
2323
"cors": "^2.8.5",
2424
"express": "^5.1.0"
25+
},
26+
"devDependencies": {
27+
"prettier": "^3.8.3"
2528
}
2629
}

0 commit comments

Comments
 (0)