Skip to content

XSS vulnerability: dangerouslySetInnerHTML renders unsanitized problem content #156

Description

@amaydixit11

🔍 Issue

Multiple components use dangerouslySetInnerHTML to render problem descriptions, input/output formats, and editorial content without sanitizing user-controlled HTML.

Affected Files

File Line What's Rendered
src/pages/potd.tsx 258 formatDescription(truncatedDesc) — Problem of the Day description
src/pages/questions/[id].tsx 447-448 formatDescription(ques.description) — Full problem description
src/pages/questions/[id].tsx 458-459 formatDescription(ques.input_format) — Input format section
src/pages/questions/[id].tsx 469-470 formatDescription(ques.output_format) — Output format section
src/components/ProblemOfTheDay.jsx 8 Problem description in card view

Attack Vector

If any problem description is sourced from a competitive programming API (CodeChef, Codeforces, AtCoder) and a third party can inject HTML into the description (e.g., through a crafted problem statement), they could:

  • Execute arbitrary JavaScript in the viewer's browser
  • Steal session cookies or auth tokens
  • Redirect users to phishing pages

💡 Fix Options

Option A — DOMPurify (recommended):

import DOMPurify from 'dompurify';
// Replace:
<div dangerouslySetInnerHTML={{ __html: formatDescription(desc) }} />
// With:
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(formatDescription(desc)) }} />

Option B — Markdown parser:
If descriptions are primarily markdown, switch to react-markdown which sanitizes by default:

import ReactMarkdown from 'react-markdown';
<ReactMarkdown>{formatDescription(desc)}</ReactMarkdown>

Priority

High — This is a known CWE-79 (Cross-Site Scripting) vulnerability pattern.

Metadata

Metadata

Assignees

No one assigned

    Labels

    advancedComplex issues requiring experienced contributorsbugSomething isn't workingenhancementNew feature or requestsecuritySecurity vulnerabilities

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions