Return to Project-GC

Welcome to Project-GC Q&A. Ask questions and get answers from other Project-GC users.

If you get a good answer, click the checkbox on the left to select it as the best answer.

Upvote answers or questions that have helped you.

If you don't get clear answers, edit your question to make it clearer.

Escaping unusual characters in cache names

+2 votes
91 views

I tagged a checker for cache GC3C2Z7 - ~!@#$%^&*()-_{}[]:;"',>.?/+ Cache Title Challenge. And these characters managed to break HTML on checker page:

<div class="cacheGroup" data-gccode="GC3C2Z7" data-cacheName="~!@#$%^&*()-_{}[]:;"',>.?/+ Cache Title Challenge">


The "data-cacheName" attribute value is not escaped and the contained " and > lets the text go out of the tag. This probably does not have any security implication, but it is a good practice to sanitize the external inputs.  Also other occurrences of the cache name on the same page behaves a bit wrong sometimes.

asked Mar 12, 2016 in Bug reports by Jakuje (Moderator) (104,990 points)

3 Answers

+4 votes
I think this actually has security implications.

You could publish a cache called "><script src="http://bla/malicious.js"></script> Challenge and run code on the systems of PGC visitors. Actually, publish it under a different name, then rename.
answered Mar 12, 2016 by mirabilos (2,680 points)
Good point. I don't play in these waters for some time. But it does not "answer" the "question".
+2 votes

We will look into this. As mirabilos says, it's actually a potential security issue (depending on what Geocaching.com filters out).

answered Mar 15, 2016 by magma1447 (Admin) (220,810 points)
+5 votes
 
Best answer
A fix has been released now. We haven't tested it yet, please feel free to do that for us. :)
answered Mar 15, 2016 by magma1447 (Admin) (220,810 points)
selected Mar 15, 2016 by Jakuje (Moderator)
looks better now. Thanks
...