Return to Project-GC

Welcome to Project-GC Q&A. Ask questions and get answers from other Project-GC users.

If you get a good answer, click the checkbox on the left to select it as the best answer.

Upvote answers or questions that have helped you.

If you don't get clear answers, edit your question to make it clearer.

+2 votes
91 views

I tagged a checker for cache GC3C2Z7 - ~!@#$%^&*()-_{}[]:;"',>.?/+ Cache Title Challenge. And these characters managed to break HTML on checker page:

<div class="cacheGroup" data-gccode="GC3C2Z7" data-cacheName="~!@#$%^&*()-_{}[]:;"',>.?/+ Cache Title Challenge">


The "data-cacheName" attribute value is not escaped and the contained " and > lets the text go out of the tag. This probably does not have any security implication, but it is a good practice to sanitize the external inputs.  Also other occurrences of the cache name on the same page behaves a bit wrong sometimes.

in Bug reports by Jakuje (Moderator) (113k points)

3 Answers

+5 votes
 
Best answer
A fix has been released now. We haven't tested it yet, please feel free to do that for us. :)
by magma1447 (Admin) (224k points)
selected by Jakuje (Moderator)
looks better now. Thanks
+4 votes
I think this actually has security implications.

You could publish a cache called "><script src="http://bla/malicious.js"></script> Challenge and run code on the systems of PGC visitors. Actually, publish it under a different name, then rename.
by mirabilos (2.7k points)
Good point. I don't play in these waters for some time. But it does not "answer" the "question".
+2 votes

We will look into this. As mirabilos says, it's actually a potential security issue (depending on what Geocaching.com filters out).

by magma1447 (Admin) (224k points)
...