Skip to content

Escape user-controlled stats HTML fields#7

Merged
TypeThe0ry merged 1 commit into
mainfrom
codex-t34cwl
Jun 27, 2026
Merged

Escape user-controlled stats HTML fields#7
TypeThe0ry merged 1 commit into
mainfrom
codex-t34cwl

Conversation

@TypeThe0ry

Copy link
Copy Markdown
Owner

Motivation

  • 修复 openStats 中对用户可控文本直接拼接到 HTML 的安全风险,防止 XSS 注入。
  • 确保战绩面板里 stats-head 的用户名和排行榜中的玩家名不会被直接作为 HTML 解析。
  • 同时对积分、胜场、局数和胜率做数值规范化,避免非数字字符串被原样拼接。

Description

  • openStats 内新增 escapeHtml(value) 用于对 & < > " ' / 等字符做 HTML 实体转义。
  • 新增 formatInt(value), formatGames(value)formatWinRate(wins, gamesN) 三个数值格式化辅助函数以统一处理积分/胜场/局数/胜率。
  • stats-headself.myUser.username 的拼接改为 escapeHtml((self.myUser && self.myUser.username) || '访客')
  • 修改排行榜行生成逻辑,将 r.username || ('uid#' + r.uid) 先赋给 playerName 并以 escapeHtml(playerName) 写入,同时使用数值格式化函数输出 scoregameswinRate

Testing

  • 运行 node --check server.js,解析检查通过。
  • 使用内联 Node 脚本检查 static/index.html 中包含 escapeHtml((self.myUser && self.myUser.username), escapeHtml(playerName), formatInt(s.score)formatGames(r.games) 等标记,检查通过。
  • 运行 git diff --check 检查无拼接冲突或多余空白,检查通过。

Codex Task

@TypeThe0ry TypeThe0ry marked this pull request as ready for review June 27, 2026 10:59
Copilot AI review requested due to automatic review settings June 27, 2026 10:59
@TypeThe0ry TypeThe0ry merged commit dd2c46c into main Jun 27, 2026
1 check passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the client-side stats panel rendering in openStats by escaping user-controlled strings before injecting HTML, reducing XSS risk, and by adding helper functions to normalize numeric fields (score/wins/games/win rate) before concatenation.

Changes:

  • Added escapeHtml() and applied it to the stats header username and leaderboard player names.
  • Added numeric formatting helpers (formatInt, formatGames, formatWinRate) and applied them to stats cards and leaderboard rows.
  • Adjusted win-rate computation to use the new helpers for consistent formatting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread static/index.html
Comment on lines +1057 to +1060
var formatInt = function (value) {
var n = Number(value);
return Number.isFinite(n) ? (n | 0) : 0;
};
Comment thread static/index.html
Comment on lines +1061 to +1064
var formatGames = function (value) {
var n = Number(value);
return Number.isFinite(n) && n > 0 ? (n | 0) : 0;
};
@TypeThe0ry TypeThe0ry deleted the codex-t34cwl branch June 27, 2026 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants