Skip to content

fix(leaderboard): prevent stored XSS via unsanitized innerHTML on leaderboard page#73

Open
rishab11250 wants to merge 2 commits into
codepvg:mainfrom
rishab11250:fix/stored-xss-leaderboard
Open

fix(leaderboard): prevent stored XSS via unsanitized innerHTML on leaderboard page#73
rishab11250 wants to merge 2 commits into
codepvg:mainfrom
rishab11250:fix/stored-xss-leaderboard

Conversation

@rishab11250
Copy link
Copy Markdown

@rishab11250 rishab11250 commented May 31, 2026

Description

Fix a stored XSS vulnerability on the leaderboard page. User-controlled
user.name and user.id fields from remote JSON were interpolated
directly into innerHTML, allowing arbitrary HTML/JavaScript execution
in every visitor's browser.

Fixes #58

Changes Made

  • Desktop leaderboard rows — Replaced row.innerHTML with safe DOM methods
    (createElement + textContent + createTextNode).
  • Mobile cards — Same fix applied to mobile card rendering.
  • Unused leetcodeUrl variable removed.
  • Rank privilege tags ([ROOT]/[SUDO]/[EXEC]) use insertAdjacentHTML
    since they are hardcoded safe strings.
  • Visual appearance is unchanged — same layout, colors, and link styling.

Type of Change

  • Bug fix

Testing

  • Tested locally — all 95 users render, search works, links functional
  • Tested on mobile viewport (mobile cards render correctly)
  • No console errors introduced

Checklist

  • My code follows the project's coding style
  • I have formatted my code locally using Prettier
  • I have performed a self-review of my code
  • My changes generate no new warnings or errors
  • I have updated documentation if required
  • I have linked the relevant issue

@rishab11250
fix(registration): prevent stored XSS in registration success message
eeefc56 
Replace innerHTML with safe DOM methods (createTextNode + textContent)
to prevent stored XSS via crafted username in the registration
success flow.

Also add prettier as devDependency for CI formatting compliance.

Closes codepvg#57
@rishab11250
fix(leaderboard): prevent stored XSS via unsanitized innerHTML
027bcb7 
Replace innerHTML with safe DOM methods (createElement + textContent +
createTextNode) for all user-controlled data (user.name, user.id) in
both desktop rows and mobile cards. Rank privilege tags ([ROOT]/[SUDO]/[EXEC])
use insertAdjacentHTML since they are hardcoded safe strings.

Closes codepvg#58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Stored Cross-Site Scripting via Unsanitized innerHTML on Leaderboard Page

1 participant

@rishab11250