From b0e66807051a51ac67cd006f988755c04381fb6c Mon Sep 17 00:00:00 2001 From: Ferywir <65760459+Ferywir@users.noreply.github.com> Date: Fri, 19 Jun 2026 12:30:54 +0200 Subject: [PATCH] fix(chat): replace eval() of server output with JSON.parse() [#139] (#242) --- GameEngine/Chat.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/GameEngine/Chat.php b/GameEngine/Chat.php index 1660b27b..f013977d 100755 --- a/GameEngine/Chat.php +++ b/GameEngine/Chat.php @@ -110,7 +110,9 @@ if (!isset($SAJAX_INCLUDED)) { else { echo "+:"; $result = call_user_func_array($func_name, $args); - echo "var res = " . trim(sajax_get_js_repr($result)) . "; res;"; + // Emit the result as JSON so the client can JSON.parse() it instead + // of eval()-ing server output (DOM-XSS / arbitrary code execution). + echo json_encode($result); } exit; } @@ -250,7 +252,7 @@ if (!isset($SAJAX_INCLUDED)) { alert("Error: " + data); else { if (target_id != "") - document.getElementById(target_id).innerHTML = eval(data); + document.getElementById(target_id).innerHTML = JSON.parse(data); else { try { var callback; @@ -261,7 +263,7 @@ if (!isset($SAJAX_INCLUDED)) { } else { callback = args[args.length-1]; } - callback(eval(data), extra_data); + callback(JSON.parse(data), extra_data); } catch (e) { sajax_debug("Caught error " + e + ": Could not eval " + data ); }