From 55780fa9a8d3b95e103c5f5222f6a42e9cf278df Mon Sep 17 00:00:00 2001 From: Fuwn Date: Mon, 1 Jun 2026 12:57:57 +0000 Subject: fix(security): escape badge source/designer to close stored XSS classifySource/classifyDesigner built markup by raw-interpolating user-controlled badge fields and rendered it via {@html}, enabling stored XSS on public badge walls (any visitor who opened a crafted badge). Extract them into badgeLinks.ts returning {href,label} with http(s)-only href validation, render via escaped Svelte bindings, and add regression tests. --- src/lib/User/BadgeWall/BadgePreview.svelte | 75 ++++++------------------------ 1 file changed, 15 insertions(+), 60 deletions(-) (limited to 'src/lib/User/BadgeWall/BadgePreview.svelte') diff --git a/src/lib/User/BadgeWall/BadgePreview.svelte b/src/lib/User/BadgeWall/BadgePreview.svelte index d630de3e..c381fd53 100644 --- a/src/lib/User/BadgeWall/BadgePreview.svelte +++ b/src/lib/User/BadgeWall/BadgePreview.svelte @@ -7,6 +7,7 @@ import { cdn, thumbnail } from "$lib/Utility/image"; import root from "$lib/Utility/root"; import { databaseTimeToDate } from "$lib/Utility/time"; import locale from "$stores/locale"; +import { classifyDesigner, classifySource } from "./badgeLinks"; export let selectedBadge: Badge | undefined; export let onNext: () => void = () => undefined; @@ -52,48 +53,6 @@ onMount(() => { }; }); -const classifySource = (source: string) => { - let name = source; - const sourceLower = source.toLowerCase(); - - if (sourceLower.includes("pixiv.net")) { - name = "Pixiv"; - } else if ( - sourceLower.includes("twitter.com") || - sourceLower.includes("x.com") - ) { - name = "X (Twitter)"; - } else if (sourceLower.includes("zerochan.net")) { - name = "Zerochan"; - } else if (sourceLower.includes("imgur.com")) { - name = "Imgur"; - } else if (sourceLower.includes("lofter.com")) { - name = "Lofter"; - } - - return `${name}`; -}; - -const classifyDesigner = (designer: string) => { - let name = designer; - let userLink = designer; - const designerLower = designer.toLowerCase(); - const anilistUser = designer.match( - /https?:\/\/anilist\.co\/user\/([^/]+)\/?/, - ); - - if (anilistUser) { - name = anilistUser[1]; - } else if (designerLower.startsWith("@")) { - name = designer.replace("@", ""); - userLink = `https://anilist.co/user/${name}/`; - } else if (!designerLower.startsWith("http")) { - userLink = `https://anilist.co/user/${name}/`; - } - - return `@${name}`; -}; - const onClick = (event: MouseEvent) => { event.preventDefault(); @@ -148,18 +107,14 @@ const onClick = (event: MouseEvent) => { {#if selectedBadge.designer} {$locale().badgePreview?.designer} - - {@html classifyDesigner(selectedBadge.designer)} + {@const designerLink = classifyDesigner(selectedBadge.designer)} + {#if designerLink.href} + + @{designerLink.label} + + {:else} + @{designerLink.label} + {/if}
{/if} @@ -181,13 +136,13 @@ const onClick = (event: MouseEvent) => { {#if selectedBadge.source} {$locale().badgePreview?.source} - {#if selectedBadge.source.startsWith('http')} - - {@html classifySource(selectedBadge.source)} + {@const sourceLink = classifySource(selectedBadge.source)} + {#if sourceLink.href} + + {sourceLink.label} + {:else} - {selectedBadge.source} + {sourceLink.label} {/if}
-- cgit v1.2.3