Conversation
…ts to include --root-path for API routing
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 21.2.0 to 22.0.0. - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@21.2.0...22.0.0) --- updated-dependencies: - dependency-name: gunicorn dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* rifatto un po di css di home * Aggiornato il file docker-compose, modificato il comando di avvio di Docker, e aggiunti nuovi campi al modello UserProfile. Implementata l'autenticazione JWT in diverse parti del progetto e sistemate alcune configurazioni nel middleware e nei serializer. * border radius su pong * Aggiunta di un URL di base per il frontend, implementazione del token CSRF nelle richieste di chat e notifiche, e aggiornamenti vari per la gestione dell'autenticazione e del profilo utente. --------- Co-authored-by: Lorenzo <150276837+Bombatomica64@users.noreply.github.com>
…; refactor authentication middleware for consistency
…ss the application
…STS across microservices; update API endpoint in registration
…; update settings to use K8S_SERVICE_HOSTS consistently across microservices
Refactor ensure_scheme function to handle both string and list inputs; update settings to use K8S_SERVICE_HOSTS consistently across microservices
…ID; refactor JavaScript for consistency and readability
…ove error handling
…oved error handling in WebSocket connections; update settings to reflect middleware changes
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 21.2.0 to 22.0.0. - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@21.2.0...22.0.0) --- updated-dependencies: - dependency-name: gunicorn dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
corretti alcuni url e aggiunto dropdown menu bootstrap
profile img updated
* Add friend management features and update user profile permissions; refactor friendship acceptance logic * Refactor permissions and serializers; add block user functionality and MinIO storage configuration * Add JWT validation microservice with initial setup and configuration * Add MinIO storage integration and update settings for media URLs
…url and update logic for current avatar handling
* fix xss in alert.js * refactor: update package.json to remove unnecessary serve dependency and fix formatting * fixed alert bug * feat: implement escapeHTML function and apply HTML escaping in renderChatBubble * refactor: replace showNotification with showAlertForXSeconds in multiplayer and alert modules; enhance notification styles and functionality remove xss * samu kekw * refactor: update Dockerfile for multi-stage builds; enhance notification handling in alert and notification modules * Add game and tournament message handlers - Implement game invitation, start, end, and creation message handlers in notification system. - Refactor tournament message handling to include creation and deletion notifications. - Move game-related functions to a dedicated handler file for better organization. - Update notification rendering for tournaments to reflect changes in the UI. * refactor: sanitize receiver username and ID in friend request notifications * fix: correct indentation in service_docs function for service name validation
* fix xss in alert.js * refactor: update package.json to remove unnecessary serve dependency and fix formatting * fixed alert bug * feat: implement escapeHTML function and apply HTML escaping in renderChatBubble * refactor: replace showNotification with showAlertForXSeconds in multiplayer and alert modules; enhance notification styles and functionality remove xss * samu kekw * refactor: update Dockerfile for multi-stage builds; enhance notification handling in alert and notification modules * Add game and tournament message handlers - Implement game invitation, start, end, and creation message handlers in notification system. - Refactor tournament message handling to include creation and deletion notifications. - Move game-related functions to a dedicated handler file for better organization. - Update notification rendering for tournaments to reflect changes in the UI. * refactor: sanitize receiver username and ID in friend request notifications * fix: correct indentation in service_docs function for service name validation * fix: log error details and return generic message on friend request acceptance failure
* css login animato, manca il contrario al loggout e quando vengo redirectato per token scaduto * fine animazione anche nel logout * fine * wops
…logging with error handling
* non fa const isCreator * css pulsanti tournament
* AI SIMO, va modificato il menu per lasciare solo medium e se premi back in quel menu non funziona * correzzione e parte subito a medium * css profile image e 2fa
…ssary parameters and clean up commented code in profile.js
…n showOTPVerificationForm
…logging and tournament ID retrieval
* boh * forgor (it doesn't change anything just visual clutter in get_brackets) * tornei --------- Co-authored-by: bombatomica <qualcosa2001@gmail.com>
* boh * forgor (it doesn't change anything just visual clutter in get_brackets) * tornei * Enhance tournament expiration handling: determine winner based on current round state and log detailed tournament status for debugging --------- Co-authored-by: marcor2742 <marcoruggiero.mail@gmail.com>
Co-authored-by: SamyBravy <samybravy@gmail.com>
|
sim1gariglio
force-pushed
the
fine-frontend-2-08-2025
branch
from
8da101a to
63ca2c1
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| # ✅ DEBUG CONFIGURAZIONE 42 | ||
| if provider.lower() == '42': | ||
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best approach is to remove or sanitize the logging of sensitive credential information. For OAuth providers, instead of dumping or partially printing client IDs, only log that a config is present or mask all but a tiny part (if strictly necessary for debugging), or ideally avoid logging the value at all.
Change needed:
- In
Back-End/login/my_login/views.py, specifically on line 219, remove or redact the output that includes the actual value ofprovider_config['client_id']. - Option 1 (most secure): Log only the presence or length/obscure the value (e.g., log length or a fixed string).
- Option 2 (if absolutely necessary for debugging): Mask all but the last 2 characters (
***IDxx) and note that this is a partial value. - Since this is a debug log for a specific provider and not essential for normal operation, it's best just to log the presence, not the value.
No new methods or imports are necessary.
Simply modify (or comment out) the offending logging statement to remove value exposure.
| @@ -216,7 +216,7 @@ | ||
|
|
||
| # ✅ DEBUG CONFIGURAZIONE 42 | ||
| if provider.lower() == '42': | ||
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") | ||
| logger.info("🔧 42 Config - Client ID present (length: %d)", len(provider_config['client_id']) if 'client_id' in provider_config else 0) | ||
| logger.info(f"🔧 42 Config - Client Secret present: {bool(provider_config['client_secret'])}") | ||
| logger.info(f"🔧 42 Config - Token URL: {provider_config['token_url']}") | ||
| logger.info(f"🔧 42 Config - Redirect URI: {provider_config['redirect_uri']}") |
| if provider.lower() == '42': | ||
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") | ||
| logger.info(f"🔧 42 Config - Client Secret present: {bool(provider_config['client_secret'])}") | ||
| logger.info(f"🔧 42 Config - Token URL: {provider_config['token_url']}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this issue, you should either completely remove the logging of the token_url or restrict such logging to a development/debug environment only. The safest and simplest method is to remove or sanitize the log entry to avoid outputting sensitive or internal configuration data. In this case, you can replace the log statement on line 221 with a generic message indicating that the token URL is set, without revealing the actual URL. If you need to log such information, do so only if an environment variable (like DEBUG) is set, and ideally mask the output. This change should be made in Back-End/login/my_login/views.py, around line 221.
No additional imports or new methods are needed; just modify or remove the logging line.
| @@ -218,7 +218,7 @@ | ||
| if provider.lower() == '42': | ||
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") | ||
| logger.info(f"🔧 42 Config - Client Secret present: {bool(provider_config['client_secret'])}") | ||
| logger.info(f"🔧 42 Config - Token URL: {provider_config['token_url']}") | ||
| logger.info("🔧 42 Config - Token URL is set.") | ||
| logger.info(f"🔧 42 Config - Redirect URI: {provider_config['redirect_uri']}") | ||
|
|
||
| # recupero code_verifier dalla sessione |
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") | ||
| logger.info(f"🔧 42 Config - Client Secret present: {bool(provider_config['client_secret'])}") | ||
| logger.info(f"🔧 42 Config - Token URL: {provider_config['token_url']}") | ||
| logger.info(f"🔧 42 Config - Redirect URI: {provider_config['redirect_uri']}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To mitigate the risk of clear-text logging of sensitive data, the best approach is to ensure that sensitive values—such as redirect URIs—are not logged. In this snippet, the intent seems to be a debug statement for "42" OAuth configuration; logging whether the redirect URI is present (or its domain/endpoint, if less-sensitive) could provide sufficient debug info without exposing its full value. Alternatively, the field can be fully masked/obscured.
Recommended fix:
- On line 222 of Back-End/login/my_login/views.py, replace the log statement:
with a non-revealing alternative, such as:logger.info(f"🔧 42 Config - Redirect URI: {provider_config['redirect_uri']}")
or, if useful, log just the domain usinglogger.info("🔧 42 Config - Redirect URI present: %s", bool(provider_config.get('redirect_uri')))urllib.parse.urlparse, after importing that at the top if not already present.
What is needed:
- Change the log message to avoid logging the full URI.
- Adjust or add imports only if you show code that extracts domains, but the simplest solution just logs presence.
| @@ -219,7 +219,7 @@ | ||
| logger.info(f"🔧 42 Config - Client ID: {provider_config['client_id'][:10]}...") | ||
| logger.info(f"🔧 42 Config - Client Secret present: {bool(provider_config['client_secret'])}") | ||
| logger.info(f"🔧 42 Config - Token URL: {provider_config['token_url']}") | ||
| logger.info(f"🔧 42 Config - Redirect URI: {provider_config['redirect_uri']}") | ||
| logger.info(f"🔧 42 Config - Redirect URI present: {bool(provider_config.get('redirect_uri'))}") | ||
|
|
||
| # recupero code_verifier dalla sessione | ||
| code_verifier = request.session.get('code_verifier') |
| logger.info("🔧 42 Token Request Data: [REDACTED]") | ||
| logger.info(" - Sensitive fields have been redacted for security.") | ||
|
|
||
| logger.info(f"Making token request to: {provider_config['token_url']}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To resolve this, we should avoid logging the potentially sensitive or tainted value of provider_config['token_url'] directly. Instead, log only a generic message indicating a token request is being made, or (if helpful for debugging) log that the token request is being made for OAuth provider <provider> without showing the (taintable) endpoint. If logging the URL is absolutely necessary from an operational point of view, the code must sanitize it thoroughly or ensure it's never user-controlled, but here the best fix is simply to redact the value entirely.
Edit only the log line at line 254 in Back-End/login/my_login/views.py, replacing it with a sanitized/safe log message.
| @@ -251,7 +251,7 @@ | ||
| logger.info("🔧 42 Token Request Data: [REDACTED]") | ||
| logger.info(" - Sensitive fields have been redacted for security.") | ||
|
|
||
| logger.info(f"Making token request to: {provider_config['token_url']}") | ||
| logger.info("Making token request for OAuth provider '%s'" % provider) | ||
| logger.info("Token data keys: [REDACTED]") | ||
| logger.info(" - Sensitive keys have been excluded from logging for security.") | ||
|
|
| token_response = requests.post(provider_config['token_url'], data=token_data) | ||
|
|
||
| logger.info(f"Token response status: {token_response.status_code}") | ||
| logger.info(f"Token response text: {token_response.text}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best fix is to prevent the logging of the full token response text, as it often contains sensitive information. Instead, log only non-sensitive metadata such as the status code and headers (headers can still have sensitive information, be cautious). If you need to log the body for debugging, redact/restrict it, or include only safe fields. All changes should be applied to Back-End/login/my_login/views.py, specifically replacing or removing the line:
logger.info(f"Token response text: {token_response.text}")with a line that does not log sensitive data. If some information from the response must be logged for diagnostics, only log non-sensitive details—otherwise, remove or comment out the line.
No new methods or imports are required, as the logger is already present.
| @@ -259,7 +259,7 @@ | ||
| token_response = requests.post(provider_config['token_url'], data=token_data) | ||
|
|
||
| logger.info(f"Token response status: {token_response.status_code}") | ||
| logger.info(f"Token response text: {token_response.text}") | ||
| logger.info("Token response text: [REDACTED]") | ||
|
|
||
| # ✅ DEBUG RISPOSTA TOKEN PER 42 | ||
| if provider.lower() == '42': |
| logger.error(f" - Text: {token_response.text}") | ||
|
|
||
| if not token_response.ok: | ||
| logger.error(f'Token exchange failed: {token_response.text}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
Sensitive information such as OAuth2 token endpoint responses should never be logged in cleartext, especially on error, since they may contain access tokens or secrets. The best way to resolve this is to redact or completely omit the potentially sensitive token_response.text. Instead, only log the HTTP status code, provider name, or a generic error indication. This preserves needed debugging without risking disclosure. Specifically, in Back-End/login/my_login/views.py, on line 272, change the log message to exclude token_response.text, perhaps replacing it with a static [REDACTED] notice.
| @@ -269,7 +269,7 @@ | ||
| logger.error(f" - Text: {token_response.text}") | ||
|
|
||
| if not token_response.ok: | ||
| logger.error(f'Token exchange failed: {token_response.text}') | ||
| logger.error(f'Token exchange failed for provider {provider}. Response text: [REDACTED]') | ||
| return self.handle_popup_response(error='token_exchange_failed') | ||
|
|
||
| token_response_data = token_response.json() |
| ) | ||
|
|
||
| if not user_info_response.ok: | ||
| logger.error(f'User info request failed: {user_info_response.text}') |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, avoid logging the entire contents of user_info_response.text when reporting failures of the user info request. Instead, log only safe, non-sensitive metadata (e.g., just the status code or a high-level error indicator), or a generic message. If it is necessary to retain some debugging information about the error, consider truncating the message, or stripping out potentially sensitive elements of the body (like email, tokens, password fields, etc.), but the most robust solution is to avoid logging the body altogether.
Specifically:
- In Back-End/login/my_login/views.py, on line 289, change
to something like
logger.error(f'User info request failed: {user_info_response.text}')
logger.error(f'User info request failed with status {user_info_response.status_code}')
- Optionally, you may include user_info_response.reason or log headers if required, but do not log the full body.
- No new imports are needed.
Only this one line in Back-End/login/my_login/views.py needs to be adjusted.
| @@ -286,7 +286,7 @@ | ||
| ) | ||
|
|
||
| if not user_info_response.ok: | ||
| logger.error(f'User info request failed: {user_info_response.text}') | ||
| logger.error(f'User info request failed with status {user_info_response.status_code}') | ||
| return self.handle_popup_response(error='user_info_failed') | ||
|
|
||
| user_info = user_info_response.json() |
| return self.handle_popup_response(error='user_info_failed') | ||
|
|
||
| user_info = user_info_response.json() | ||
| logger.info(f"User info received: {user_info}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The fix should ensure that sensitive information is not logged. The best approach here is to avoid logging the entire user_info dictionary and instead log only non-sensitive attributes (for example, the user's email and username, if present). If more detailed debugging info is needed, log only explicit, non-sensitive fields that the code expects.
Detailed Fix Steps:
- Update line 293 in Back-End/login/my_login/views.py to only log relevant, non-sensitive attributes from
user_info, e.g.,emailandusername(or similar name fields). - If a more generic solution is needed (for future extension), implement a helper function to redact sensitive fields from dictionaries before logging.
- No changes to imports are required unless a helper function is introduced; in this fix, the logging call is simply updated.
| @@ -290,7 +290,7 @@ | ||
| return self.handle_popup_response(error='user_info_failed') | ||
|
|
||
| user_info = user_info_response.json() | ||
| logger.info(f"User info received: {user_info}") | ||
| logger.info(f"User info received: email={user_info.get('email')}, username={user_info.get('name', user_info.get('login'))}") | ||
|
|
||
| # Create or get user | ||
| if provider.lower() == 'google': |
| api_key = request.headers.get('X-API-KEY') | ||
| if not api_key or api_key != settings.API_KEY: | ||
| logger.warning(f"Invalid API key attempt: {api_key}") | ||
| auth_logger.warning(f"Invalid API key attempt: {api_key}, path: {request.path}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, the log message should avoid including the api_key value in clear text.
Instead, the log can record the event ("Invalid API key attempt") and relevant context such as the request path, but should mask, omit, or truncate the API key.
Best practice is to not include any sensitive value, but if traceability requires, you may include only a short hash/fingerprint or the last few characters (e.g., api_key[-4:]).
For this case, remove api_key from the log message, or, if helpful for investigation, log a minimal/non-sensitive fingerprint instead (e.g., "ending with ..."). No significant changes or additional imports are needed—just a change to the log string on line 33.
| @@ -30,7 +30,7 @@ | ||
| # Check for API key | ||
| api_key = request.headers.get('X-API-KEY') | ||
| if not api_key or api_key != settings.API_KEY: | ||
| auth_logger.warning(f"Invalid API key attempt: {api_key}, path: {request.path}") | ||
| auth_logger.warning(f"Invalid API key attempt on path: {request.path}") | ||
| raise exceptions.AuthenticationFailed('Invalid API key') | ||
|
|
||
| # For additional security, validate JWT token |
| # Check for API key | ||
| api_key = request.headers.get('X-API-KEY') | ||
| if not api_key or api_key != settings.API_KEY: | ||
| logger.warning(f"Invalid API key attempt: {api_key}") |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix this issue is to avoid logging the value of the API key itself. Logs should not contain any sensitive values, like API keys, passwords, or tokens. Instead, log an event saying that there was an invalid API key attempt, optionally including non-sensitive data, such as the source IP address or request path if needed for troubleshooting (as long as that information itself does not contain sensitive data).
The fix is to replace the line:
logger.warning(f"Invalid API key attempt: {api_key}")with:
logger.warning("Invalid API key attempt.")If further detail is desired for traceability, you can log the request's path or remote address by using attributes like request.path or request.META.get('REMOTE_ADDR'), as long as these are not considered sensitive in your application context.
No new imports or method definitions are needed.
| @@ -25,7 +25,7 @@ | ||
| # Check for API key | ||
| api_key = request.headers.get('X-API-KEY') | ||
| if not api_key or api_key != settings.API_KEY: | ||
| logger.warning(f"Invalid API key attempt: {api_key}") | ||
| logger.warning("Invalid API key attempt.") | ||
| raise exceptions.AuthenticationFailed('Invalid API key') | ||
|
|
||
| # Return anonymous user for service-to-service authentication |
| contentDiv.innerHTML = ` | ||
| <div class="pong-app"> | ||
| <div class="gamecontainer position-relative"> | ||
| <div id="threejs-container" class="w-100 h-100"></div> | ||
|
|
||
| <!-- Multiplayer UI Overlay --> | ||
| <div class="position-absolute top-0 end-0 p-3 bg-dark bg-opacity-75 text-white rounded-bottom"> | ||
| <div class="mb-2"> | ||
| <i class="fas fa-wifi me-2"></i> | ||
| <span class="fw-bold">vs ${opponentName}</span> | ||
| </div> | ||
| <div id="connection-status" class="small"> | ||
| <span class="badge bg-warning">Connecting...</span> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- Ready Screen - Always show this, no overlay needed --> | ||
| <div id="ready-screen" class="position-absolute top-50 start-50 translate-middle text-center p-4 bg-dark bg-opacity-75 rounded shadow" style="min-width: 400px; max-width: 500px;"> | ||
| <div class="d-flex flex-column h-100"> | ||
| <!-- Header --> | ||
| <div class="mb-4"> | ||
| <h2 class="text-light mb-3">🎮 Multiplayer Pong</h2> | ||
| <h5 class="text-light">🥊 You vs ${opponentName}</h5> | ||
| </div> | ||
|
|
||
| <!-- Player Status Section --> | ||
| <div class="mb-4"> | ||
| <div class="row g-3"> | ||
| <div class="col-12"> | ||
| <div id="player-ready-status" class="d-flex justify-content-between align-items-center p-2 bg-dark bg-opacity-50 rounded"> | ||
| <span class="text-success"> | ||
| <i class="fas fa-user me-2"></i>You: | ||
| </span> | ||
| <span class="badge bg-warning">Not Ready</span> | ||
| </div> | ||
| </div> | ||
| <div class="col-12"> | ||
| <div id="opponent-ready-status" class="d-flex justify-content-between align-items-center p-2 bg-dark bg-opacity-50 rounded"> | ||
| <span class="text-primary"> | ||
| <i class="fas fa-user-friends me-2"></i>${opponentName}: | ||
| </span> | ||
| <span class="badge bg-warning">Not Ready</span> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- Action Buttons --> | ||
| <div class="mb-4"> | ||
| <div class="d-grid gap-2"> | ||
| <button id="ready-button" class="btn btn-success btn-lg"> | ||
| <i class="fas fa-check-circle me-2"></i>Ready to Play | ||
| </button> | ||
| <button id="leave-game-btn" class="btn btn-outline-danger"> | ||
| <i class="fas fa-sign-out-alt me-2"></i>Leave Game | ||
| </button> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- Controls Info --> | ||
| <div class="mt-auto"> | ||
| <div class="text-light small"> | ||
| <p class="mb-1 fw-bold">🎮 Controls:</p> | ||
| <div class="d-flex justify-content-center gap-3"> | ||
| <span><kbd class="bg-secondary text-white px-2 py-1 rounded">W</kbd> Move Up</span> | ||
| <span><kbd class="bg-secondary text-white px-2 py-1 rounded">S</kbd> Move Down</span> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
|
|
||
| <!-- In-game controls info --> | ||
| <div id="controls-info" class="position-absolute bottom-0 start-0 p-3 bg-dark bg-opacity-75 text-white rounded-top" style="display: none;"> | ||
| <div class="small"> | ||
| <div><strong>W</strong> - Move Up</div> | ||
| <div><strong>S</strong> - Move Down</div> | ||
| <div><strong>ESC</strong> - Pause</div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| </div> | ||
| `; |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix the problem is to ensure that untrusted user input (such as opponentName) is escaped for HTML context before being interpolated into a template string that sets innerHTML. This prevents malicious HTML or JavaScript from being executed.
To keep functionality unchanged, we should define a small utility function (for example, escapeHTML) within the file to encode special characters (&, <, >, ", ', /). We should then use this function for every interpolation of opponentName inside the template literal. All other code should remain unchanged, and the escape function should be added only in the relevant file.
Specifically, in file Front-End/public/pong/multiplayer/multiplayerPong.js:
- Add the
escapeHTMLfunction near the top or just insiderenderMultiplayerPong(but outside the template literal). - Before the template, call
const safeOpponentName = escapeHTML(opponentName); - Use
${safeOpponentName}instead of${opponentName}for all interpolations in the template literal (lines 54, 67, 84).
This ensures that user-controlled content cannot break out of its intended context or inject scripts.
No new packages are required for this standard HTML escaping step.
| @@ -16,6 +16,16 @@ | ||
| existingRoomId = null, | ||
| tournamentId = null | ||
| ) { | ||
| // Escape HTML utility for user-supplied content | ||
| function escapeHTML(str) { | ||
| return String(str) | ||
| .replace(/&/g, "&") | ||
| .replace(/</g, "<") | ||
| .replace(/>/g, ">") | ||
| .replace(/"/g, """) | ||
| .replace(/'/g, "'") | ||
| .replace(/\//g, "/"); | ||
| } | ||
| window.multiplayerGameInfo = { | ||
| opponentId, | ||
| opponentName, | ||
| @@ -42,6 +52,7 @@ | ||
| contentDiv.classList.remove("animate-margin", "animate-margin-logout"); | ||
| contentDiv.style.margin = "0 10px 10px 0"; | ||
|
|
||
| const safeOpponentName = escapeHTML(opponentName); | ||
| contentDiv.innerHTML = ` | ||
| <div class="pong-app"> | ||
| <div class="gamecontainer position-relative"> | ||
| @@ -51,7 +62,7 @@ | ||
| <div class="position-absolute top-0 end-0 p-3 bg-dark bg-opacity-75 text-white rounded-bottom"> | ||
| <div class="mb-2"> | ||
| <i class="fas fa-wifi me-2"></i> | ||
| <span class="fw-bold">vs ${opponentName}</span> | ||
| <span class="fw-bold">vs ${safeOpponentName}</span> | ||
| </div> | ||
| <div id="connection-status" class="small"> | ||
| <span class="badge bg-warning">Connecting...</span> | ||
| @@ -64,7 +75,7 @@ | ||
| <!-- Header --> | ||
| <div class="mb-4"> | ||
| <h2 class="text-light mb-3">🎮 Multiplayer Pong</h2> | ||
| <h5 class="text-light">🥊 You vs ${opponentName}</h5> | ||
| <h5 class="text-light">🥊 You vs ${safeOpponentName}</h5> | ||
| </div> | ||
|
|
||
| <!-- Player Status Section --> | ||
| @@ -81,7 +92,7 @@ | ||
| <div class="col-12"> | ||
| <div id="opponent-ready-status" class="d-flex justify-content-between align-items-center p-2 bg-dark bg-opacity-50 rounded"> | ||
| <span class="text-primary"> | ||
| <i class="fas fa-user-friends me-2"></i>${opponentName}: | ||
| <i class="fas fa-user-friends me-2"></i>${safeOpponentName}: | ||
| </span> | ||
| <span class="badge bg-warning">Not Ready</span> | ||
| </div> |
5 participants
No description provided.