Using a single quote in recipe name (common character in french) cause a Javascript syntax error when pressing the add to shopping list button on Chrome.
It is in fact an XSS vulnerability but one has to change a file name to exploit it so it is safe for the serveur owner... but not for the other users :-)
The same kind of error appear at various places but are caused by the built-in translated strings dynamicaly displayed on screen (see bellow).
Here is an example for the "Nids d'hirondelles" recipe.
It is caused by the interpretation of the single quote by the browser despite its apparent escaping.
<!--StartFragment-->
<button onclick="addToShoppingList(event, 'Nids d'hirondelles.cook')"
--
class="px-3 lg:px-4 py-2 text-sm lg:text-base bg-gradient-to-r from-purple-500 to-pink-500 text-white rounded-lg hover:from-purple-600 hover:to-pink-600 transition-all shadow-md flex items-center gap-1.5 lg:gap-2 whitespace-nowrap"
title="Ajouter à la liste de courses">
<svg class="w-4 h-4 lg:w-5 lg:h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 3h2l.4 2M7 13h10l4-8H5.4M7 13L5.4 5M7 13l-2.293 2.293c-.63.63-.184 1.707.707 1.707H17m0 0a2 2 0 100 4 2 2 0 000-4zm-8 2a2 2 0 11-4 0 2 2 0 014 0z"></path>
</svg>
<span class="hidden lg:inline">Ajouter à la liste de courses</span>
</button>
<!--EndFragment-->
Single quotes should be escaped by a backslash in this case since HTML special character is interpreted before Javascript execution.
There is various other places with the same vulnerability caused either by single quotes in recipe names or just the built-in french translated strings:
async function addToShoppingList(event, recipePath) {
[...]
try {
const response = await fetch('/api/shopping_list/add', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
path: recipePath,
name: 'Nids d'hirondelles',
scale: parseFloat(scale)
})
});
if (response.ok) {
[...]
} else {
const data = await response.json().catch(() => ({}));
showRecipeError(data.error \|\| 'Échec de l'ajout à la liste de courses');
}
} catch (error) {
console.error('Failed to add to shopping list:', error);
showRecipeError('Échec de l'ajout à la liste de courses');
}
}
Just look for the use of single quotes in translation or the ' character in generated Javascript, the above extracts are just the ones I spotted in the recipe page, searching for the ' character in sources.
Using a single quote in recipe name (common character in french) cause a Javascript syntax error when pressing the add to shopping list button on Chrome.
It is in fact an XSS vulnerability but one has to change a file name to exploit it so it is safe for the serveur owner... but not for the other users :-)
The same kind of error appear at various places but are caused by the built-in translated strings dynamicaly displayed on screen (see bellow).
Here is an example for the "Nids d'hirondelles" recipe.
It is caused by the interpretation of the single quote by the browser despite its apparent escaping.
Single quotes should be escaped by a backslash in this case since HTML special character is interpreted before Javascript execution.
There is various other places with the same vulnerability caused either by single quotes in recipe names or just the built-in french translated strings:
Just look for the use of single quotes in translation or the
'character in generated Javascript, the above extracts are just the ones I spotted in the recipe page, searching for the'character in sources.