Skip to content

Commit eeefc56

Browse files
rishab11250rishab11250
committed
fix(registration): prevent stored XSS in registration success message
Replace innerHTML with safe DOM methods (createTextNode + textContent) to prevent stored XSS via crafted username in the registration success flow. Also add prettier as devDependency for CI formatting compliance. Closes #57
1 parent f41add1 commit eeefc56

3 files changed

Lines changed: 30 additions & 2 deletions

File tree

frontend/registration.html

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,7 @@ <h1 class="page-title">Join the Leaderboard</h1>
191191
const target = document.getElementById("welcome-message");
192192
const lines = [
193193
{
194-
text: `> User record authenticated: ${name}`,
194+
text: "> User record authenticated: ",
195195
color: "var(--green-dim)",
196196
},
197197
{ text: `> Status: RANK_SYNC_PENDING`, color: "var(--amber)" },
@@ -215,7 +215,13 @@ <h1 class="page-title">Join the Leaderboard</h1>
215215
const div = document.createElement("div");
216216

217217
if (lineData.text.includes("authenticated")) {
218-
div.innerHTML = `> User record authenticated: <span style="color: var(--green)">${name}</span>`;
218+
div.appendChild(
219+
document.createTextNode("> User record authenticated: "),
220+
);
221+
const span = document.createElement("span");
222+
span.style.color = "var(--green)";
223+
span.textContent = name;
224+
div.appendChild(span);
219225
} else {
220226
div.innerText = lineData.text;
221227
if (lineData.color) div.style.color = lineData.color;

package-lock.json

Lines changed: 19 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,8 @@
2222
"axios": "^1.10.0",
2323
"cors": "^2.8.5",
2424
"express": "^5.1.0"
25+
},
26+
"devDependencies": {
27+
"prettier": "^3.8.3"
2528
}
2629
}

0 commit comments

Comments
 (0)