Skip to content

Fix: Reject HTML/JS in player and game name changesets#2627

Open
xovishnukosuri wants to merge 2 commits intoOWASP:masterfrom
xovishnukosuri:fix/validate-player-game-names-reject-html
Open

Fix: Reject HTML/JS in player and game name changesets#2627
xovishnukosuri wants to merge 2 commits intoOWASP:masterfrom
xovishnukosuri:fix/validate-player-game-names-reject-html

Conversation

@xovishnukosuri
Copy link

@xovishnukosuri xovishnukosuri commented Mar 14, 2026

Summary

  • Adds validate_format to Player.changeset/2 and Game.changeset/2 to reject names containing < or > characters
  • Prevents raw malicious HTML/JS content (e.g. <script>alert('XSS')</script>) from being stored in the database
  • Adds tests verifying that player and game names with HTML tags are rejected

Fixes #2555

Details

The name field in both Player and Game Ecto schemas previously only validated presence and length. This allowed arbitrary HTML/JS payloads to be stored in the database. While Phoenix auto-escapes output (preventing immediate XSS), storing raw dangerous content is a data integrity risk -- especially if the data is later used in raw templates, CSV/JSON exports, emails, or admin views.

The fix uses validate_format(:name, ~r/\A[^<>]*\z/) which rejects any name containing angle brackets. This is a minimal, targeted change that fits the existing changeset validation pattern.

Test plan

  • Added test: create_game/1 rejects name containing HTML tags
  • Added test: create_player/1 rejects name containing HTML tags
  • Verify existing tests still pass
  • Manually test that game/player creation with normal names still works
  • Manually test that <script> or <img> payloads in names are rejected with a clear error

🤖 Generated with Claude Code

vishnu and others added 2 commits March 14, 2026 06:35
@claude
Fix: prevent players from joining games already in progress
a98dd59 
Closes OWASP#2521. Players could join a game after it had started by
navigating directly to the join URL, allowing them to watch and vote
without being dealt any cards. This adds a started_at check in both
the join page mount (PlayerLive.Index) and the player creation handler
(PlayerLive.FormComponent) to block joining started games.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Add changeset validation to reject HTML/JS in player and game names
90334f5 
Prevent raw malicious HTML/JS content (e.g. <script> tags) from being
stored in the database by adding validate_format to Player and Game
changesets. Names containing < or > characters are now rejected.

Fixes OWASP#2555

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Raw Malicious Content Stored in Database Due to Missing Changeset Validation

1 participant

@xovishnukosuri