[Statement Sheet] [Security] [XSS] [Info] #37
Description
hello, I have been using the codingame SDK for a short time, wanting to write my first page statement_fr.html locally I wanted to add features to the static page I tried to open a script tag and started writing inside,
I follow myself realized that the code in the script tag does not execute after reflection it seems logical since after the publication of the game the code would run on the player's browser and would not be controlled by codingame.com this which can be nasty with malicious code.
Then continuing to write my page statement_en.html
by wanting to load an image from a remote url (I was mistaken in the source of the image) and by reflex I added an onerror attribute on the img tag to verify that the source of the image was valid and I got myself realized that the javascript is executed when it is written in inline in the HTML attributes (on the local environment anyway). This behavior seems a bit strange, I have not found another issues that speaks about it elsewhere I would like to know if this and blocked after publication of the game? If this a feature that and intentionally added?
Where if these a real bugs and possibly an XSS flaw.
I am French sorry for my approximate English.