player.setDisplayName("");
I dont see why fixing this is necessary
When player is able to create custom markers, or creating a marker through another plugin, or able to change their name.
Fixing this is necessary. It is a security vulnerability. HTML should be sanitized after all.
@connection-lost
That is more like a feature ;)
@SimonOrJ
Yes, it is a vulnerability. I must also admit that I completely forgot that dynmap can be configured to require authentication (something that I have never used). In that case it is not a waste of time fixing this.
Totally agree that code should be correct.
Otherwhise, I can't see why this is a really dangerous thing in this case - yet.
Not considering whether "it is okay for server admin to xss attack a player".
But sometimes a player can change their name, or create a custom marker to show on dynmap. Say I am a bad player and create a marker called "My Awesome Shop". Then everyone on the dynmap will be redirected to that website.
@connection-lost
Excellent point!
Should be fixed in today's dev builds for 2.6 and 3.0
Most helpful comment
Not considering whether "it is okay for server admin to xss attack a player".
But sometimes a player can change their name, or create a custom marker to show on dynmap. Say I am a bad player and create a marker called "My Awesome Shop". Then everyone on the dynmap will be redirected to that website.