diff --git a/Update.json b/Update.json
index cc93908a..baa8c19d 100644
--- a/Update.json
+++ b/Update.json
@@ -3359,6 +3359,17 @@
}
],
"Notes": "Fixed a stored XSS vulnerability in discussion thread post titles."
+ },
+ "3.1.2": {
+ "UpdateDate": 1771493127347,
+ "Prerelease": true,
+ "UpdateContents": [
+ {
+ "PR": 911,
+ "Description": "Fix additional XSS vulnerabilities"
+ }
+ ],
+ "Notes": "Fixed additional stored XSS vulnerabilities where user-controlled data was inserted into innerHTML without sanitization."
}
}
}
\ No newline at end of file
diff --git a/XMOJ.user.js b/XMOJ.user.js
index 0b120687..592d8ffc 100644
--- a/XMOJ.user.js
+++ b/XMOJ.user.js
@@ -1,6 +1,6 @@
// ==UserScript==
// @name XMOJ
-// @version 3.1.1
+// @version 3.1.2
// @description XMOJ增强脚本
// @author @XMOJ-Script-dev, @langningchen and the community
// @namespace https://github/langningchen
@@ -1912,7 +1912,7 @@ async function main() {
let UpdateDataCardListItem = document.createElement("li");
UpdateDataCardList.appendChild(UpdateDataCardListItem);
UpdateDataCardListItem.className = "list-group-item";
- UpdateDataCardListItem.innerHTML = "(" + "#" + Data.UpdateContents[j].PR + ") " + Data.UpdateContents[j].Description;
+ UpdateDataCardListItem.innerHTML = "(" + "#" + Data.UpdateContents[j].PR + ") " + escapeHTML(Data.UpdateContents[j].Description);
}
let UpdateDataCardLink = document.createElement("a");
UpdateDataCardBody.appendChild(UpdateDataCardLink);
@@ -3418,7 +3418,7 @@ async function main() {
let UpdateDataCardListItem = document.createElement("li");
UpdateDataCardList.appendChild(UpdateDataCardListItem);
UpdateDataCardListItem.className = "list-group-item";
- UpdateDataCardListItem.innerHTML = "(" + "#" + Data.UpdateContents[j].PR + ") " + Data.UpdateContents[j].Description;
+ UpdateDataCardListItem.innerHTML = "(" + "#" + Data.UpdateContents[j].PR + ") " + escapeHTML(Data.UpdateContents[j].Description);
}
let UpdateDataCardLink = document.createElement("a");
UpdateDataCardBody.appendChild(UpdateDataCardLink);
@@ -3709,8 +3709,8 @@ async function main() {
let UserInfoElement = document.createElement("div");
UserInfoElement.classList.add("col-auto");
UserInfoElement.style.lineHeight = "40px";
- UserInfoElement.innerHTML += "用户名:" + UserID + "
";
- UserInfoElement.innerHTML += "昵称:" + UserNick + "
";
+ UserInfoElement.innerHTML += "用户名:" + escapeHTML(UserID) + "
";
+ UserInfoElement.innerHTML += "昵称:" + escapeHTML(UserNick) + "
";
if (UtilityEnabled("Rating")) {
UserInfoElement.innerHTML += "评分:" + ((await GetUserInfo(UserID)).Rating) + "
";
}
@@ -4858,7 +4858,7 @@ int main()
TitleLink.classList.add("link-secondary");
TitleLink.innerHTML = "🔒 ";
}
- TitleLink.innerHTML += Posts[i].Title;
+ TitleLink.innerHTML += escapeHTML(Posts[i].Title);
let AuthorCell = document.createElement("td");
Row.appendChild(AuthorCell);
GetUsernameHTML(AuthorCell, Posts[i].UserID);
@@ -5207,7 +5207,7 @@ int main()
PostAuthor.innerHTML = "";
GetUsernameHTML(PostAuthor.children[0], ResponseData.Data.UserID);
PostTime.innerHTML = GetRelativeTime(ResponseData.Data.PostTime);
- PostBoard.innerHTML = ResponseData.Data.BoardName;
+ PostBoard.innerHTML = escapeHTML(ResponseData.Data.BoardName);
let Replies = ResponseData.Data.Reply;
PostReplies.innerHTML = "";
for (let i = 0; i < Replies.length; i++) {
@@ -5357,7 +5357,7 @@ int main()
if (Replies[i].EditPerson == Replies[i].UserID) {
ReplyContentElement.innerHTML += `最后编辑于${GetRelativeTime(Replies[i].EditTime)}`;
} else {
- ReplyContentElement.innerHTML += `最后被${Replies[i].EditPerson}编辑于${GetRelativeTime(Replies[i].EditTime)}`;
+ ReplyContentElement.innerHTML += `最后被${escapeHTML(Replies[i].EditPerson)}编辑于${GetRelativeTime(Replies[i].EditTime)}`;
}
}
let ContentEditElement = document.createElement("div");
diff --git a/package.json b/package.json
index 62b60c53..7c668d9a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "xmoj-script",
- "version": "3.1.1",
+ "version": "3.1.2",
"description": "an improvement script for xmoj.tech",
"main": "AddonScript.js",
"scripts": {