Dynmap: XSS Vulnerablity

Created on 23 Apr 2017  路  7Comments  路  Source: webbukkit/dynmap

player.setDisplayName("");

Bug Fixed

Most helpful comment

Not considering whether "it is okay for server admin to xss attack a player".

But sometimes a player can change their name, or create a custom marker to show on dynmap. Say I am a bad player and create a marker called "My Awesome Shop". Then everyone on the dynmap will be redirected to that website.

All 7 comments

I dont see why fixing this is necessary

When player is able to create custom markers, or creating a marker through another plugin, or able to change their name.

Fixing this is necessary. It is a security vulnerability. HTML should be sanitized after all.

@connection-lost
That is more like a feature ;)

@SimonOrJ
Yes, it is a vulnerability. I must also admit that I completely forgot that dynmap can be configured to require authentication (something that I have never used). In that case it is not a waste of time fixing this.
Totally agree that code should be correct.

Otherwhise, I can't see why this is a really dangerous thing in this case - yet.

Not considering whether "it is okay for server admin to xss attack a player".

But sometimes a player can change their name, or create a custom marker to show on dynmap. Say I am a bad player and create a marker called "My Awesome Shop". Then everyone on the dynmap will be redirected to that website.

@connection-lost
Excellent point!

Should be fixed in today's dev builds for 2.6 and 3.0

Was this page helpful?
0 / 5 - 0 ratings

Related issues

wtchappell picture wtchappell  路  4Comments

thetakodev picture thetakodev  路  4Comments

MissFox0810 picture MissFox0810  路  3Comments

Blueeyestar picture Blueeyestar  路  3Comments

mibby picture mibby  路  4Comments