You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SVG is rendering with unsanitized special charaters.
The rendering function is using user input (string) (string memory questId_) to output an SVG. This might be lead to issues in the future, since SVG format allows for embedding javascript scripts inside, so potentially, if that function has any other use in the future, it might be abused to generate malicious images.
However, at the moment probability is low, since it uses existing questId is created by administrative role, and anyone in posession of administrative role have plenty of other attack vectors than xssing users.
