Coordinated Disclosure Timeline
- 2024-11-13: Sent the report to the maintainer’s email and submitted a pull request with a potential fix of the issue.
- 2024-11-20: The maintainer acknowledges the report and merges the fix.
- 2024-11-21: The researcher is added to freeCodeCamp’s Responsible Disclosure - Wall of Fame.
Summary
The palindrome checker project hosted on https://palindrome-checker.freecodecamp.rocks/
is vulnerable to XSS.
Project
freeCodeCamp/demo-projects
Tested Version
Latest
Details
XSS in the Palindrome Checker project (GHSL-2024-336
)
The palindrome checker project hosted on https://palindrome-checker.freecodecamp.rocks/
takes user input and interpolates it into a string, which is later passed to the innerHTML
sink, which leads to self-XSS.
const checkForPalindrome = input => {
const originalInput = input; // Store for later output
if (input === '') {
alert('Please input a value');
return;
}
// Remove the previous result
resultDiv.replaceChildren();
const lowerCaseStr = input.replace(/[^A-Za-z0-9]/gi, '').toLowerCase();
let resultMsg = `<strong>${originalInput}</strong> ${
lowerCaseStr === [...lowerCaseStr].reverse().join('') ? 'is' : 'is not'
} a palindrome.`;
const pTag = document.createElement('p');
pTag.className = 'user-input';
pTag.innerHTML = resultMsg;
resultDiv.appendChild(pTag);
// Show the result.
resultDiv.classList.remove('hidden');
};
Impact
This issue may allow executing arbitrary Javascript on a victim’s browser, however delivering the self-XSS would involve socially engineering the victim to paste the attacker-supplied input into their browser. As such, it’s not a high severity vulnerability.
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-336
in any communication regarding this issue.