Raw Malicious Content Stored in Database Due to Missing Changeset Validation

[khushal-winner]

Describe the bug
Stored malicious HTML/JS payloads (e.g. <script>alert('XSS')</script>) are accepted and saved in player/game names without any validation or sanitization.
Phoenix auto-escapes output so no XSS executes now, but raw dangerous content stays in the database.

Expected behavior
Player and game names should be validated/sanitized on save reject or strip HTML/JS tags and other unsafe characters.

Screenshot

Desktop (please complete the following information):

• OS: Windows / macOS / Linux
• Browser: Chrome / Firefox / Edge
• Version: Latest

Additional context

• No content validation in changesets (only length/required checks).
• Raw HTML/JS stored in DB → big risk if someone later uses raw() in templates, adds exports (CSV/JSON), emails, or admin views.
• Current Phoenix escaping protects against immediate XSS, but this is a future-proofing / data integrity issue.

[khushal-winner]

@sydseter , if we expand in near future should we fix this?

[xovishnukosuri]

I've investigated this issue. The root cause is that both Player.changeset/2 and Game.changeset/2 in the Ecto schemas only validate presence and length of the name field, but do not reject HTML/JS content like <script>alert('XSS')</script>.

Fix: Add validate_format/4 to both changesets to reject names containing < or > characters. This prevents raw HTML/JS from being stored in the database while keeping the validation minimal and consistent with the existing changeset pattern.

The regex ~r/\A[^<>]*\z/ ensures the entire name string contains no angle brackets. Names like <script>alert('xss')</script> or <img src=x onerror=alert(1)> will be rejected with a clear error message.

Opening a PR shortly.