Merge pull request #912 from XMOJ-Script-dev/dev

Author: boomzero

Update.json

@@ -3348,6 +3348,43 @@
                 }
             ],
             "Notes": "v3 显然需要在新年第一天发布("
+        },
+        "3.1.1": {
+            "UpdateDate": 1771489733913,
+            "Prerelease": true,
+            "UpdateContents": [
+                {
+                    "PR": 910,
+                    "Description": "Fix XSS in post title rendering"
+                }
+            ],
+            "Notes": "Fixed a stored XSS vulnerability in discussion thread post titles."
+        },
+        "3.1.2": {
+            "UpdateDate": 1771493127347,
+            "Prerelease": true,
+            "UpdateContents": [
+                {
+                    "PR": 911,
+                    "Description": "Fix additional XSS vulnerabilities"
+                }
+            ],
+            "Notes": "Fixed additional stored XSS vulnerabilities where user-controlled data was inserted into innerHTML without sanitization."
+        },
+        "3.2.0": {
+            "UpdateDate": 1771493320789,
+            "Prerelease": false,
+            "UpdateContents": [
+                {
+                    "PR": 910,
+                    "Description": "Fix XSS in post title rendering"
+                },
+                {
+                    "PR": 911,
+                    "Description": "Fix additional XSS vulnerabilities"
+                }
+            ],
+            "Notes": "No release notes were provided for this release."
         }
     }
 }

XMOJ.user.js

@@ -1,6 +1,6 @@
 // ==UserScript==
 // @name         XMOJ
-// @version      3.1.0
+// @version      3.2.0
 // @description  XMOJ增强脚本
 // @author       @XMOJ-Script-dev, @langningchen and the community
 // @namespace    https://github/langningchen
@@ -1912,7 +1912,7 @@ async function main() {
                                 let UpdateDataCardListItem = document.createElement("li");
                                 UpdateDataCardList.appendChild(UpdateDataCardListItem);
                                 UpdateDataCardListItem.className = "list-group-item";
-                                UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + Data.UpdateContents[j].Description;
+                                UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + escapeHTML(Data.UpdateContents[j].Description);
                             }
                             let UpdateDataCardLink = document.createElement("a");
                             UpdateDataCardBody.appendChild(UpdateDataCardLink);
@@ -3418,7 +3418,7 @@ async function main() {
                                         let UpdateDataCardListItem = document.createElement("li");
                                         UpdateDataCardList.appendChild(UpdateDataCardListItem);
                                         UpdateDataCardListItem.className = "list-group-item";
-                                        UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + Data.UpdateContents[j].Description;
+                                        UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + escapeHTML(Data.UpdateContents[j].Description);
                                     }
                                     let UpdateDataCardLink = document.createElement("a");
                                     UpdateDataCardBody.appendChild(UpdateDataCardLink);
@@ -3709,8 +3709,8 @@ async function main() {
                         let UserInfoElement = document.createElement("div");
                         UserInfoElement.classList.add("col-auto");
                         UserInfoElement.style.lineHeight = "40px";
-                        UserInfoElement.innerHTML += "用户名：" + UserID + "<br>";
-                        UserInfoElement.innerHTML += "昵称：" + UserNick + "<br>";
+                        UserInfoElement.innerHTML += "用户名：" + escapeHTML(UserID) + "<br>";
+                        UserInfoElement.innerHTML += "昵称：" + escapeHTML(UserNick) + "<br>";
                         if (UtilityEnabled("Rating")) {
                             UserInfoElement.innerHTML += "评分：" + ((await GetUserInfo(UserID)).Rating) + "<br>";
                         }
@@ -4858,7 +4858,7 @@ int main()
                                                 TitleLink.classList.add("link-secondary");
                                                 TitleLink.innerHTML = "🔒 ";
                                             }
-                                            TitleLink.innerHTML += Posts[i].Title;
+                                            TitleLink.innerHTML += escapeHTML(Posts[i].Title);
                                             let AuthorCell = document.createElement("td");
                                             Row.appendChild(AuthorCell);
                                             GetUsernameHTML(AuthorCell, Posts[i].UserID);
@@ -5202,12 +5202,12 @@ int main()
                                                     Delete.style.display = "";
                                                 }
                                             }
-                                            PostTitle.innerHTML = ResponseData.Data.Title + (ResponseData.Data.ProblemID == 0 ? "" : ` - 题目` + ` <a href="https://www.xmoj.tech/problem.php?id=` + ResponseData.Data.ProblemID + `">` + ResponseData.Data.ProblemID + `</a>`);
+                                            PostTitle.innerHTML = escapeHTML(ResponseData.Data.Title) + (ResponseData.Data.ProblemID == 0 ? "" : ` - 题目` + ` <a href="https://www.xmoj.tech/problem.php?id=` + ResponseData.Data.ProblemID + `">` + ResponseData.Data.ProblemID + `</a>`);
                                             document.title = "讨论" + ThreadID + ": " + ResponseData.Data.Title;
                                             PostAuthor.innerHTML = "<span></span>";
                                             GetUsernameHTML(PostAuthor.children[0], ResponseData.Data.UserID);
                                             PostTime.innerHTML = GetRelativeTime(ResponseData.Data.PostTime);
-                                            PostBoard.innerHTML = ResponseData.Data.BoardName;
+                                            PostBoard.innerHTML = escapeHTML(ResponseData.Data.BoardName);
                                             let Replies = ResponseData.Data.Reply;
                                             PostReplies.innerHTML = "";
                                             for (let i = 0; i < Replies.length; i++) {
@@ -5357,7 +5357,7 @@ int main()
                                                     if (Replies[i].EditPerson == Replies[i].UserID) {
                                                         ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
                                                     } else {
-                                                        ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后被<span class="Usernames">${Replies[i].EditPerson}</span>编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
+                                                        ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后被<span class="Usernames">${escapeHTML(Replies[i].EditPerson)}</span>编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
                                                     }
                                                 }
                                                 let ContentEditElement = document.createElement("div");

package.json

@@ -1,6 +1,6 @@
 {
   "name": "xmoj-script",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "an improvement script for xmoj.tech",
   "main": "AddonScript.js",
   "scripts": {