Escape user-controlled stats HTML fields#7
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the client-side stats panel rendering in openStats by escaping user-controlled strings before injecting HTML, reducing XSS risk, and by adding helper functions to normalize numeric fields (score/wins/games/win rate) before concatenation.
Changes:
- Added
escapeHtml()and applied it to the stats header username and leaderboard player names. - Added numeric formatting helpers (
formatInt,formatGames,formatWinRate) and applied them to stats cards and leaderboard rows. - Adjusted win-rate computation to use the new helpers for consistent formatting.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1057
to
+1060
| var formatInt = function (value) { | ||
| var n = Number(value); | ||
| return Number.isFinite(n) ? (n | 0) : 0; | ||
| }; |
Comment on lines
+1061
to
+1064
| var formatGames = function (value) { | ||
| var n = Number(value); | ||
| return Number.isFinite(n) && n > 0 ? (n | 0) : 0; | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
openStats中对用户可控文本直接拼接到 HTML 的安全风险,防止 XSS 注入。stats-head的用户名和排行榜中的玩家名不会被直接作为 HTML 解析。Description
openStats内新增escapeHtml(value)用于对& < > " ' /等字符做 HTML 实体转义。formatInt(value),formatGames(value)和formatWinRate(wins, gamesN)三个数值格式化辅助函数以统一处理积分/胜场/局数/胜率。stats-head中self.myUser.username的拼接改为escapeHtml((self.myUser && self.myUser.username) || '访客')。r.username || ('uid#' + r.uid)先赋给playerName并以escapeHtml(playerName)写入,同时使用数值格式化函数输出score、games和winRate。Testing
node --check server.js,解析检查通过。static/index.html中包含escapeHtml((self.myUser && self.myUser.username),escapeHtml(playerName),formatInt(s.score)和formatGames(r.games)等标记,检查通过。git diff --check检查无拼接冲突或多余空白,检查通过。Codex Task