xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(chat): replace eval() of server output with JSON.parse() [#139] (#242)

Browse Source
This commit is contained in:
Ferywir
2026-06-19 12:30:54 +02:00
committed by GitHub
parent 1a797bab80
commit b0e6680705
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Chat.php
+5 -3
View File
@@ -110,7 +110,9 @@ if (!isset($SAJAX_INCLUDED)) {
else {
echo "+:";
$result = call_user_func_array($func_name, $args);
echo "var res = " . trim(sajax_get_js_repr($result)) . "; res;";
// Emit the result as JSON so the client can JSON.parse() it instead
// of eval()-ing server output (DOM-XSS / arbitrary code execution).
echo json_encode($result);
}
exit;
}
@@ -250,7 +252,7 @@ if (!isset($SAJAX_INCLUDED)) {
alert("Error: " + data);
else {
if (target_id != "")
document.getElementById(target_id).innerHTML = eval(data);
document.getElementById(target_id).innerHTML = JSON.parse(data);
else {
try {
var callback;
@@ -261,7 +263,7 @@ if (!isset($SAJAX_INCLUDED)) {
} else {
callback = args[args.length-1];
}
callback(eval(data), extra_data);
callback(JSON.parse(data), extra_data);
} catch (e) {
sajax_debug("Caught error " + e + ": Could not eval " + data );
}