🔍 Issue
Multiple components use dangerouslySetInnerHTML to render problem descriptions, input/output formats, and editorial content without sanitizing user-controlled HTML.
Affected Files
| File |
Line |
What's Rendered |
src/pages/potd.tsx |
258 |
formatDescription(truncatedDesc) — Problem of the Day description |
src/pages/questions/[id].tsx |
447-448 |
formatDescription(ques.description) — Full problem description |
src/pages/questions/[id].tsx |
458-459 |
formatDescription(ques.input_format) — Input format section |
src/pages/questions/[id].tsx |
469-470 |
formatDescription(ques.output_format) — Output format section |
src/components/ProblemOfTheDay.jsx |
8 |
Problem description in card view |
Attack Vector
If any problem description is sourced from a competitive programming API (CodeChef, Codeforces, AtCoder) and a third party can inject HTML into the description (e.g., through a crafted problem statement), they could:
- Execute arbitrary JavaScript in the viewer's browser
- Steal session cookies or auth tokens
- Redirect users to phishing pages
💡 Fix Options
Option A — DOMPurify (recommended):
import DOMPurify from 'dompurify';
// Replace:
<div dangerouslySetInnerHTML={{ __html: formatDescription(desc) }} />
// With:
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(formatDescription(desc)) }} />
Option B — Markdown parser:
If descriptions are primarily markdown, switch to react-markdown which sanitizes by default:
import ReactMarkdown from 'react-markdown';
<ReactMarkdown>{formatDescription(desc)}</ReactMarkdown>
Priority
High — This is a known CWE-79 (Cross-Site Scripting) vulnerability pattern.
🔍 Issue
Multiple components use
dangerouslySetInnerHTMLto render problem descriptions, input/output formats, and editorial content without sanitizing user-controlled HTML.Affected Files
src/pages/potd.tsxformatDescription(truncatedDesc)— Problem of the Day descriptionsrc/pages/questions/[id].tsxformatDescription(ques.description)— Full problem descriptionsrc/pages/questions/[id].tsxformatDescription(ques.input_format)— Input format sectionsrc/pages/questions/[id].tsxformatDescription(ques.output_format)— Output format sectionsrc/components/ProblemOfTheDay.jsxAttack Vector
If any problem description is sourced from a competitive programming API (CodeChef, Codeforces, AtCoder) and a third party can inject HTML into the description (e.g., through a crafted problem statement), they could:
💡 Fix Options
Option A — DOMPurify (recommended):
Option B — Markdown parser:
If descriptions are primarily markdown, switch to
react-markdownwhich sanitizes by default:Priority
High — This is a known CWE-79 (Cross-Site Scripting) vulnerability pattern.