Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Squaremap-signs allows for injecting HTML #627

Closed
CodexNotFound opened this issue Jul 26, 2023 · 1 comment
Closed

Squaremap-signs allows for injecting HTML #627

CodexNotFound opened this issue Jul 26, 2023 · 1 comment

Comments

@CodexNotFound
Copy link
Contributor

Using the following sign:
image

I see the following result on the map:
image

This would also allow throwing an Error in the browser.
@CodexNotFound CodexNotFound mentioned this issue Jul 26, 2023
Closed
@JLyne
Copy link
Owner

JLyne commented Jul 26, 2023

This is an issue that needs fixing in squaremap-signs itself, as it is adding unsanitised user input into the marker tooltip and will be causing the same issue in the stock frontend.

Squaremap markers are allowed to include html in their tooltips and the official addons make frequent use of this, so it cannot be stripped out without breaking compatibility.

@JLyne JLyne closed this as not planned Won't fix, can't repro, duplicate, stale Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Squaremap-signs injection attack vector CodexNotFound/LiveAtlas
2 participants
@JLyne @CodexNotFound