Halite Home

Bot names not being HTML encoded


It appears bot names are not being encoded when displayed on the website. For instance, set your bot name to <a href="">Test</a> and you'll see it shows up as a link in the visualizer. A malicious user could inject some nefarious code instead. I've only tested the visualizer, but upon a quick glance it looks like it will also affect user.php, and any other place where the bot name appears should be checked as well.


Security tips should be emailed to halite@halite.io. Not posted on the public forum.


Correct me if I'm wrong, but believe that this is a non issue since github sanitizes input.

Also, Github seems to restrict the characters that you can use for your username. On trying to make my username <a href="">Test</a>, Github gives me this error:

Username may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.


Send someone an evil replay file. Own their account.


Good catch. Was only thinking about games played on our servers. Just pushed a fix.


To be clear, current fix will only stop XSS. HTML tags like <a> and <b> will still work, but this is a much less serious problem.