[Statement Sheet] [Security] [XSS] [Info] #37
Labels
Comments
|
I could not reproduce. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
hello, I have been using the codingame SDK for a short time, wanting to write my first page
statement_fr.htmllocally I wanted to add features to the static page I tried to open a script tag and started writing inside,I follow myself realized that the code in the script tag does not execute after reflection it seems logical since after the publication of the game the code would run on the player's browser and would not be controlled by codingame.com this which can be nasty with malicious code.
Then continuing to write my page
statement_en.htmlby wanting to load an image from a remote url (I was mistaken in the source of the image) and by reflex I added an
onerrorattribute on the img tag to verify that the source of the image was valid and I got myself realized that the javascript is executed when it is written in inline in the HTML attributes (on the local environment anyway). This behavior seems a bit strange, I have not found another issues that speaks about it elsewhere I would like to know if this and blocked after publication of the game? If this a feature that and intentionally added?Where if these a real bugs and possibly an XSS flaw.
I am French sorry for my approximate English.
The text was updated successfully, but these errors were encountered: