Fascinated/Minetrack
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fix XSS by parsing player counts as raw data and validating favicon URIs (#116)

Browse Source 
* Fix XSS by parsing player counts as raw data (instead of parsing it)

* Ensure the returned favicon is a data URI

* Force server favicon size to 64px

* Increase specificity of data URI validation

The previous commit would happily accept any domain (or subdomain) that started with "data"
This commit is contained in:
Hugo Manrique
2019-09-05 23:15:44 +02:00
committed by Crypt
parent 6da613bbb8
commit 0392fce6c3
3 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
assets/js/site.js
View File

@ -11,6 +11,7 @@ var mojangServicesUpdater;
var sortServersTask;
var currentServerHover;
var faviconSize = 64;
function updateServerStatus(lastEntry) {
var info = lastEntry.info;
@ -413,7 +414,7 @@ $(document).ready(function() {
class: 'server',
'server-id': safeNameCopy,
html: '<div id="server-' + safeNameCopy + '" class="column" style="width: 80px;">\
<img id="favicon_' + safeNameCopy + '" title="' + info.name + '\n' + info.ip + printPort(info.port) + '">\
<img id="favicon_' + safeNameCopy + '" title="' + info.name + '\n' + info.ip + printPort(info.port) + '" height="' + faviconSize + '" width="' + faviconSize + '">\
<br />\
<p class="text-center-align rank" id="ranking_' + safeNameCopy + '"></p>\
</div>\