Halite Home

Bot names not being HTML encoded


#1

It appears bot names are not being encoded when displayed on the website. For instance, set your bot name to <a href="">Test</a> and you'll see it shows up as a link in the visualizer. A malicious user could inject some nefarious code instead. I've only tested the visualizer, but upon a quick glance it looks like it will also affect user.php, and any other place where the bot name appears should be checked as well.


#2

Security tips should be emailed to halite@halite.io. Not posted on the public forum.


#3

Correct me if I'm wrong, but believe that this is a non issue since github sanitizes input.

Also, Github seems to restrict the characters that you can use for your username. On trying to make my username <a href="">Test</a>, Github gives me this error:

Username may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.


#4

Send someone an evil replay file. Own their account.


#5

Good catch. Was only thinking about games played on our servers. Just pushed a fix.


#6

To be clear, current fix will only stop XSS. HTML tags like <a> and <b> will still work, but this is a much less serious problem.