Summary
profile_badge_generator.py accepts a user-controlled custom_message, reuses it as the badge label, and interpolates that label directly into generated HTML attributes. The badge generator page then renders the returned preview HTML with innerHTML.
A crafted label containing quote characters can break out of the alt attribute in the preview/generated HTML and create executable markup in the badge generator origin.
Impact
This can lead to client-side script execution when the badge generator preview is rendered, and it can also produce unsafe copy/paste HTML for generated badges.
Recommended fix
- Encode the Shields.io label path component with
safe="".
- Escape user-controlled labels before placing them in HTML attributes.
- Escape Markdown alt text.
- Build the browser preview with DOM APIs instead of assigning returned HTML to
innerHTML.
I have a patch prepared with a focused regression test. Public payout/payment details are intentionally omitted and can be handled privately if this is accepted under #305.
Summary
profile_badge_generator.pyaccepts a user-controlledcustom_message, reuses it as the badge label, and interpolates that label directly into generated HTML attributes. The badge generator page then renders the returned preview HTML withinnerHTML.A crafted label containing quote characters can break out of the
altattribute in the preview/generated HTML and create executable markup in the badge generator origin.Impact
This can lead to client-side script execution when the badge generator preview is rendered, and it can also produce unsafe copy/paste HTML for generated badges.
Recommended fix
safe="".innerHTML.I have a patch prepared with a focused regression test. Public payout/payment details are intentionally omitted and can be handled privately if this is accepted under #305.