CVE-2015-3172: Security Patch by yewang · Pull Request #26 · jkk/eidogo

The modifications in sgf.js escape special HTML characters ("<", ">", and “&”) found in SGF values, disabling the ability to embed HTML in SGF comments, game info, etc.

Removing lines 509-513 in player.js removes the ability to load a JSON file by URL. This feature does not seem to be widely used. If it is desired to keep this feature instead, note that it would be necessary to also escape any special HTML characters found in the comments and game info found in the JSON file, since loading a game record via JSON would bypass the sanitizing steps added to the SGF parser.

The latter two changes to the player.js replaces the unsafe usage of eval with calls to the JSON parser.

Note: it would be much better (but also much more involved) to refactor/redesign EidoGo to avoid overly using innerHTML. The approach used in this patch (of sanitizing SGF input) may mitigate the risk of persistent (stored) XSS attacks, but it does not fix the possibility of reflected XSS attacks that exploit the possibility of malicious code being added to the DOM via the EidoGo interface (i.e., via the ability to set comments/game info from the UI, rather than being loaded through an SGF file).