Coordinated Disclosure Timeline

Summary

The palindrome checker project hosted on https://palindrome-checker.freecodecamp.rocks/ is vulnerable to XSS.

Project

freeCodeCamp/demo-projects

Tested Version

Latest

Details

XSS in the Palindrome Checker project (GHSL-2024-336)

The palindrome checker project hosted on https://palindrome-checker.freecodecamp.rocks/ takes user input and interpolates it into a string, which is later passed to the innerHTML sink, which leads to self-XSS.

const checkForPalindrome = input => {
  const originalInput = input; // Store for later output

  if (input === '') {
    alert('Please input a value');
    return;
  }

  // Remove the previous result
  resultDiv.replaceChildren();

  const lowerCaseStr = input.replace(/[^A-Za-z0-9]/gi, '').toLowerCase();
  let resultMsg = `<strong>${originalInput}</strong> ${
    lowerCaseStr === [...lowerCaseStr].reverse().join('') ? 'is' : 'is not'
  } a palindrome.`;

  const pTag = document.createElement('p');
  pTag.className = 'user-input';
  pTag.innerHTML = resultMsg;
  resultDiv.appendChild(pTag);

  // Show the result.
  resultDiv.classList.remove('hidden');
};

Impact

This issue may allow executing arbitrary Javascript on a victim’s browser, however delivering the self-XSS would involve socially engineering the victim to paste the attacker-supplied input into their browser. As such, it’s not a high severity vulnerability.

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-336 in any communication regarding this issue.