Problem
Player names and ploys are passed through Socket.IO and injected into the DOM via jQuery .html(). A player could submit <script>alert(1)</script> as their name or ploy and execute arbitrary JavaScript on all connected clients.
Suggested fix
Sanitize all user input before rendering. Use .text() instead of .html() for user-supplied content, or apply HTML entity escaping server-side before broadcasting.
Problem
Player names and ploys are passed through Socket.IO and injected into the DOM via jQuery
.html(). A player could submit<script>alert(1)</script>as their name or ploy and execute arbitrary JavaScript on all connected clients.Suggested fix
Sanitize all user input before rendering. Use
.text()instead of.html()for user-supplied content, or apply HTML entity escaping server-side before broadcasting.