Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Security] JS challenges vulnerable to XSS
See original GitHub issueUpdate: Details hidden, by mod. Update: Details disclosed, by mod.
Hi! Love the purpose of this project but it seems the way some of the JS challenges are set up makes it vulnerable to XSS.
Challenge Name
At least https://www.freecodecamp.org/challenges/sum-all-primes and https://www.freecodecamp.org/challenges/smallest-common-multiple, if not all JS challenges.
Issue Description
JS challenges appear to be vulnerable to XSS via injection in the URL. Examples:
https://www.freecodecamp.org/challenges/sum-all-primes#?solution=alert('xss')
https://www.freecodecamp.org/challenges/smallest-common-multiple#?solution=alert('xss')
If signed in, observe that alert('xss') executes.
Browser Information
Chrome, but should affect all browsers with appropriate escaping.
I’m not sure how dangerous session hijacking is to your site but thought it’d be worth pointing out. Let me know what you think.
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We have fixed this in production. As a side effect, the sharing code URLs from profile, and viewing solutions from profiles is disabled.
This is side effect is temporary and is already handled more elegantly in the beta.
We will soon be adding a more clear warning notice on the profile page, for clarification.
Thanks for the fix! Verified that the issue as it was no longer works. Sorry again for the irresponsible disclosure, hope it didn’t cause too much trouble.