From 3f35005524d3af60fed0158812cb0dddb78bf125 Mon Sep 17 00:00:00 2001 From: xpoes123 Date: Mon, 29 Jun 2026 23:41:52 -0400 Subject: [PATCH] security: HTML-escape user answer fields in geoword compare view Co-Authored-By: Claude Sonnet 4.6 --- client/admin/geoword/compare.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/admin/geoword/compare.js b/client/admin/geoword/compare.js index ef5be40d6..5128fd7f6 100644 --- a/client/admin/geoword/compare.js +++ b/client/admin/geoword/compare.js @@ -126,7 +126,7 @@ document.getElementById('form').addEventListener('submit', event => {
Given answer: ${escapeHTML(myBuzz.givenAnswer)}
-
Answer: ${removeParentheses(myBuzz.answer)}
+
Answer: ${escapeHTML(removeParentheses(myBuzz.answer))}
Celerity: ${(opponentBuzz.celerity ?? 0.0).toFixed(3)}
Points: ${opponentBuzz.points}
Given answer: ${escapeHTML(opponentBuzz.givenAnswer)}