Skip to content

security: escape answer field in geoword admin compare view#537

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/escape-geoword-compare-xss
Open

security: escape answer field in geoword admin compare view#537
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/escape-geoword-compare-xss

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The canonical answer field in the geoword comparison view was interpolated directly into an innerHTML template literal without escaping, allowing a crafted answer string to inject arbitrary HTML and execute JavaScript when an admin views the page (stored XSS).

Problem

In client/admin/geoword/compare.js at the answer display line, myBuzz.answer was passed through removeParentheses and then inserted raw into the template:

<div><b>Answer:</b> ${removeParentheses(myBuzz.answer)}</div>

The escapeHTML utility was already imported and applied consistently to every other user-supplied field in the same file (givenAnswer, etc.), but was missing here.

Changes

  • Wraps the interpolation as escapeHTML(removeParentheses(myBuzz.answer)), using the utility already in scope.

Risk & testing

Single-line change; no new imports or dependencies. escapeHTML plain-escapes text — it does not attempt to sanitize markup — which is the correct treatment for a plain-text answer field. Behavior is identical for answers containing no HTML special characters. semistandard and node --check pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@xpoes123 xpoes123 changed the title security: escape user answer data in geoword compare view security: escape answer field in geoword admin compare view Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant