funman300/Ferrous-Solitaire
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 28 Wiki Activity

fix(server): XSS, missing score submission, leaderboard never updated, no LIMIT

Browse Source 
- leaderboard.html, replays.html: escape user-supplied display_name and
  username before inserting into innerHTML to prevent stored XSS
- game.js: call POST /api/replays on win so browser-game completions are
  recorded; scores were never submitted before this fix
- replays.rs: after replay insert, upsert leaderboard best_score /
  best_time_secs for opted-in users when the new score beats their current
  best (classic mode only); scores were never updated before this fix
- leaderboard.rs: add LIMIT 100 to GET /api/leaderboard to prevent
  unbounded query growth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
funman300
2026-05-13 19:32:14 -07:00
parent a579c25d5c
commit 38eefb22e8
7 changed files with 77 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
solitaire_server/web/replays.html
+7 -4
View File
@@ -86,6 +86,9 @@
</table>
</main>
<script>
function esc(s) {
return String(s ?? '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
}
function fmtTime(secs) {
if (!secs) return '—';
const m = Math.floor(secs / 60), s = secs % 60;
@@ -111,13 +114,13 @@
status.style.display = 'none';
const tbody = document.getElementById('tbody');
tbody.innerHTML = rows.map(r => `
<tr onclick="location.href='/replays/${r.id}'">
<td class="player">${r.username ?? '—'}</td>
<tr onclick="location.href='/replays/${esc(r.id)}'">
<td class="player">${esc(r.username) || '—'}</td>
<td class="score">${r.final_score?.toLocaleString() ?? '—'}</td>
<td class="time">${fmtTime(r.time_seconds)}</td>
<td class="meta">${r.seed ?? '—'}</td>
<td><span class="draw-badge">Draw ${r.draw_mode ?? '1'}</span></td>
<td><a class="watch-link" href="/replays/${r.id}">Watch &#9654;</a></td>
<td><span class="draw-badge">Draw ${r.draw_mode === 'draw_three' ? '3' : '1'}</span></td>
<td><a class="watch-link" href="/replays/${esc(r.id)}">Watch &#9654;</a></td>
</tr>`).join('');
document.getElementById('table').style.display = 'table';
}