Skip to content

Release: XSS security fixes #912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
boomzero merged 11 commits into from
Feb 19, 2026
Merged

Release: XSS security fixes #912

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
76ae832
Fix XSS vulnerability in post title rendering
boomzero Feb 19, 2026
eba35cd
3.1.1
github-actions[bot] Feb 19, 2026
bc07e57
Update version info to 3.1.1
github-actions[bot] Feb 19, 2026
f2b74a7
Merge pull request #910 from XMOJ-Script-dev/fix/xss-post-title
boomzero Feb 19, 2026
ececcfa
Fix additional XSS vulnerabilities in innerHTML assignments
boomzero Feb 19, 2026
9f41a71
3.1.2
github-actions[bot] Feb 19, 2026
e51cb29
Update version info to 3.1.2
github-actions[bot] Feb 19, 2026
103424b
Merge pull request #911 from XMOJ-Script-dev/fix/xss-additional-escaping
boomzero Feb 19, 2026
015b3ea
3.2.0
github-actions[bot] Feb 19, 2026
e155083
Update to release 3.2.0
github-actions[bot] Feb 19, 2026
9583131
Merge pull request #913 from XMOJ-Script-dev/actions/temp
github-actions[bot] Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions Update.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3348,6 +3348,28 @@
}
],
"Notes": "v3 显然需要在新年第一天发布("
},
"3.1.1": {
"UpdateDate": 1771489733913,
"Prerelease": true,
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot Feb 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Security release version 3.1.2 is marked as Prerelease: true, which will prevent normal users from receiving the XSS security fixes. The update system only prompts non-debug users to install stable (non-prerelease) versions. Change this to false to ensure the security patches are distributed to all users.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At Update.json, line 3354:

<comment>Security release version 3.1.2 is marked as `Prerelease: true`, which will prevent normal users from receiving the XSS security fixes. The update system only prompts non-debug users to install stable (non-prerelease) versions. Change this to `false` to ensure the security patches are distributed to all users.</comment>

<file context>
@@ -3348,6 +3348,28 @@
+        },
+        "3.1.1": {
+            "UpdateDate": 1771489733913,
+            "Prerelease": true,
+            "UpdateContents": [
+                {
</file context>
Suggested change
"Prerelease": true,
"Prerelease": false,
Fix with Cubic

"UpdateContents": [
{
"PR": 910,
"Description": "Fix XSS in post title rendering"
}
],
"Notes": "Fixed a stored XSS vulnerability in discussion thread post titles."
},
"3.1.2": {
"UpdateDate": 1771493127347,
"Prerelease": true,

This comment was marked as spam.

Sign in to view

"UpdateContents": [
{
"PR": 911,
"Description": "Fix additional XSS vulnerabilities"
}
],
"Notes": "Fixed additional stored XSS vulnerabilities where user-controlled data was inserted into innerHTML without sanitization."
}
}
}
18 changes: 9 additions & 9 deletions XMOJ.user.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// ==UserScript==
// @name XMOJ
// @version 3.1.0
// @version 3.1.2
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot Feb 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Do not manually edit the userscript version header; it is managed by the UpdateVersion automation. Revert this change and let the workflow update it.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At XMOJ.user.js, line 3:

<comment>Do not manually edit the userscript version header; it is managed by the UpdateVersion automation. Revert this change and let the workflow update it.</comment>

<file context>
@@ -1,6 +1,6 @@
 // ==UserScript==
 // @name         XMOJ
-// @version      3.1.0
+// @version      3.1.2
 // @description  XMOJ增强脚本
 // @author       @XMOJ-Script-dev, @langningchen and the community
</file context>
Fix with Cubic

// @description XMOJ增强脚本
// @author @XMOJ-Script-dev, @langningchen and the community
// @namespace https://github/langningchen
Expand Down Expand Up @@ -1912,7 +1912,7 @@ async function main() {
let UpdateDataCardListItem = document.createElement("li");
UpdateDataCardList.appendChild(UpdateDataCardListItem);
UpdateDataCardListItem.className = "list-group-item";
UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + Data.UpdateContents[j].Description;
UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + escapeHTML(Data.UpdateContents[j].Description);
}
let UpdateDataCardLink = document.createElement("a");
UpdateDataCardBody.appendChild(UpdateDataCardLink);
Expand Down Expand Up @@ -3418,7 +3418,7 @@ async function main() {
let UpdateDataCardListItem = document.createElement("li");
UpdateDataCardList.appendChild(UpdateDataCardListItem);
UpdateDataCardListItem.className = "list-group-item";
UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + Data.UpdateContents[j].Description;
UpdateDataCardListItem.innerHTML = "(<a href=\"https://github.com/XMOJ-Script-dev/XMOJ-Script/pull/" + Data.UpdateContents[j].PR + "\" target=\"_blank\">" + "#" + Data.UpdateContents[j].PR + "</a>) " + escapeHTML(Data.UpdateContents[j].Description);
}
let UpdateDataCardLink = document.createElement("a");
UpdateDataCardBody.appendChild(UpdateDataCardLink);
Expand Down Expand Up @@ -3709,8 +3709,8 @@ async function main() {
let UserInfoElement = document.createElement("div");
UserInfoElement.classList.add("col-auto");
UserInfoElement.style.lineHeight = "40px";
UserInfoElement.innerHTML += "用户名:" + UserID + "<br>";
UserInfoElement.innerHTML += "昵称:" + UserNick + "<br>";
UserInfoElement.innerHTML += "用户名:" + escapeHTML(UserID) + "<br>";
UserInfoElement.innerHTML += "昵称:" + escapeHTML(UserNick) + "<br>";
if (UtilityEnabled("Rating")) {
UserInfoElement.innerHTML += "评分:" + ((await GetUserInfo(UserID)).Rating) + "<br>";
}
Expand Down Expand Up @@ -4858,7 +4858,7 @@ int main()
TitleLink.classList.add("link-secondary");
TitleLink.innerHTML = "🔒 ";
}
TitleLink.innerHTML += Posts[i].Title;
TitleLink.innerHTML += escapeHTML(Posts[i].Title);
let AuthorCell = document.createElement("td");
Row.appendChild(AuthorCell);
GetUsernameHTML(AuthorCell, Posts[i].UserID);
Expand Down Expand Up @@ -5202,12 +5202,12 @@ int main()
Delete.style.display = "";
}
}
PostTitle.innerHTML = ResponseData.Data.Title + (ResponseData.Data.ProblemID == 0 ? "" : ` - 题目` + ` <a href="https://www.xmoj.tech/problem.php?id=` + ResponseData.Data.ProblemID + `">` + ResponseData.Data.ProblemID + `</a>`);
PostTitle.innerHTML = escapeHTML(ResponseData.Data.Title) + (ResponseData.Data.ProblemID == 0 ? "" : ` - 题目` + ` <a href="https://www.xmoj.tech/problem.php?id=` + ResponseData.Data.ProblemID + `">` + ResponseData.Data.ProblemID + `</a>`);
document.title = "讨论" + ThreadID + ": " + ResponseData.Data.Title;
PostAuthor.innerHTML = "<span></span>";
GetUsernameHTML(PostAuthor.children[0], ResponseData.Data.UserID);
PostTime.innerHTML = GetRelativeTime(ResponseData.Data.PostTime);
PostBoard.innerHTML = ResponseData.Data.BoardName;
PostBoard.innerHTML = escapeHTML(ResponseData.Data.BoardName);
let Replies = ResponseData.Data.Reply;
PostReplies.innerHTML = "";
for (let i = 0; i < Replies.length; i++) {
Expand Down Expand Up @@ -5357,7 +5357,7 @@ int main()
if (Replies[i].EditPerson == Replies[i].UserID) {
ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
} else {
ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后被<span class="Usernames">${Replies[i].EditPerson}</span>编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
ReplyContentElement.innerHTML += `<span class="text-muted" style="font-size: 12px">最后被<span class="Usernames">${escapeHTML(Replies[i].EditPerson)}</span>编辑于${GetRelativeTime(Replies[i].EditTime)}</span>`;
}
}
let ContentEditElement = document.createElement("div");
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "xmoj-script",
"version": "3.1.0",
"version": "3.1.2",
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot Feb 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Avoid manually updating version numbers; the release automation is responsible for bumping package.json to keep it in sync with XMOJ.user.js and Update.json. Manual edits risk desynchronizing versions.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 3:

<comment>Avoid manually updating version numbers; the release automation is responsible for bumping package.json to keep it in sync with XMOJ.user.js and Update.json. Manual edits risk desynchronizing versions.</comment>

<file context>
@@ -1,6 +1,6 @@
 {
   "name": "xmoj-script",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "an improvement script for xmoj.tech",
   "main": "AddonScript.js",
</file context>
Fix with Cubic

"description": "an improvement script for xmoj.tech",
"main": "AddonScript.js",
"scripts": {
Expand Down
Loading