Mehmet KOZAN
b8137927a6
Subject: Security Vulnerability Report: Critical XSS in OpenFront.io via
sanitize-html (CVE GHSA-rpr9-rxv7-x643)
Hello OpenFront Development Team,
While reviewing the OpenFront.io project, I discovered a critical
Cross-Site Scripting (XSS) vulnerability on the client side. I am
responsibly disclosing this issue to you along with technical details
and a remediation plan so it can be addressed.
Vulnerability Summary
- Vulnerability Type: Cross-Site Scripting (XSS) / Mutation XSS
- Affected Components: src/client/NewsModal.ts,
src/client/components/NewsBox.ts
- Affected Dependency: sanitize-html v2.17.0 (imported via lit-markdown)
- CVE Reference: GHSA-rpr9-rxv7-x643 (CVSS Score: 9.3)
Technical Details
The "News" (Changelog) modal in the game uses the lit-markdown package
to parse markdown content. This package depends on sanitize-html
v2.17.0.
This specific version of sanitize-html has a known parsing flaw when
handling the `<xmp>` tag. When malicious HTML is wrapped inside an
`<xmp>` tag, the sanitization filter misinterprets it and fails to
properly strip the inner HTML. As a result, when the sanitized content
is injected into the DOM, the browser executes the inner HTML.
Proof of Concept (PoC)
If the changelog.md file (or the network response) is manipulated to
include the following payload, the malicious code bypasses sanitization
and executes in the context of the application:
`<xmp><img src=x onerror="alert('System compromised')"></xmp>`
In local testing, injecting this payload directly into the markdown
property of the news-modal component resulted in the `<img>` tag
bypassing the filter and rendering successfully in the DOM.
Impact
This vulnerability introduces a high-risk Stored XSS vector. If an
attacker compromises the server or the CDN hosting the changelog.md
file, or performs a Man-in-the-Middle (MitM) attack:
- Arbitrary JavaScript can be executed in the browsers of all players
who open the News modal.
- Session tokens and authentication data can be stolen.
- Attackers can perform unauthorized actions on behalf of the players
(e.g., disbanding clans or altering settings).
Remediation
The fix is straightforward and requires updating the sanitize-html
library to version 2.17.4 or higher.
You can enforce this update by adding an overrides block to your
package.json:
"overrides": {
"sanitize-html": ">=2.17.4"
}
After updating the package.json, running npm install will apply the
patch.
I am disclosing this vulnerability responsibly and will keep the details
private until a patch has been released. Please let me know if you need
any further information or assistance with the fix.
Best regards,
Mehmet Kozan
Security Researcher
Email: twanske1@gmail.com
---
## Description:
This PR addresses the critical XSS vulnerability detailed above. By
enforcing `sanitize-html` to be version `>=2.17.4` via the `overrides`
block in `package.json`, the `<xmp>` tag parsing flaw is patched. No UI
changes or new text strings were added.
## Please complete the following:
- [ ] I have added screenshots for all UI updates *(N/A - Security patch
in package.json)*
- [ ] I process any text displayed to the user through translateText()
and I've added it to the en.json file *(N/A)*
- [ ] I have added relevant tests to the test directory *(N/A)*
- [x] I confirm I have thoroughly tested these changes and take full
responsibility for any bugs introduced
## Please put your Discord username so you can be contacted if a bug or
regression is found:
hz.mehmetsultan
OpenFront.io is an online real-time strategy game focused on territorial control and alliance building. Players compete to expand their territory, build structures, and form strategic alliances in various maps based on real-world geography.
This is a fork/rewrite of WarFront.io. Credit to https://github.com/WarFrontIO.
License
OpenFront source code is licensed under the GNU Affero General Public License v3.0
Current copyright notices appear in:
- Footer: "© OpenFront and Contributors"
- Loading screen: "© OpenFront and Contributors"
Modified versions must preserve these notices in reasonably visible locations.
See the LICENSE for complete requirements.
For asset licensing, see LICENSE-ASSETS.
For license history, see LICENSING.md.
🌟 Features
- Real-time Strategy Gameplay: Expand your territory and engage in strategic battles
- Alliance System: Form alliances with other players for mutual defense
- Multiple Maps: Play across various geographical regions including Europe, Asia, Africa, and more
- Resource Management: Balance your expansion with defensive capabilities
- Cross-platform: Play in any modern web browser
📋 Prerequisites
- npm (v10.9.2 or higher)
- A modern web browser (Chrome, Firefox, Edge, etc.)
🚀 Installation
-
Clone the repository
git clone https://github.com/openfrontio/OpenFrontIO.git cd OpenFrontIO -
Install dependencies
npm run instDo NOT use
npm installnornpm ibut instead use ournpm run inst. It runs the safernpm ci --ignore-scriptsto install dependencies exactly according to the versions inpackage-lock.jsonand doesn't run scripts. This can prevent being hit by a supply chain attack.
🎮 Running the Game
Development Mode
Run both the client and server in development mode with live reloading:
npm run dev
This will:
- Start the webpack dev server for the client
- Launch the game server with development settings
- Open the game in your default browser (to disable this behavior, set
SKIP_BROWSER_OPEN=truein your environment)
Client Only
To run just the client with hot reloading:
npm run start:client
Server Only
To run just the server with development settings:
npm run start:server-dev
Connecting to staging or production backends
Sometimes it's useful to connect to production servers when replaying a game, testing user profiles, purchases, or login flow.
To replay a production game, make sure you're on the same commit that the game you want to replay was executed on, you can find the
gitCommitvalue viahttps://api.openfront.io/game/[gameId]. Unfinished games cannot be replayed on localhost.
To connect to staging api servers:
npm run dev:staging
To connect to production api servers:
npm run dev:prod
🛠️ Development Tools
-
Format code:
npm run format -
Lint code:
npm run lint -
Lint and fix code:
npm run lint:fix -
Testing
npm test
🏗️ Project Structure
/src/client- Frontend game client/src/core- Shared game logic/src/server- Backend game server/resources- Static assets (images, maps, etc.)
🤝 Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Request to join the development Discord.
- Fork the repository
- Create your feature branch (
git checkout -b amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin amazing-feature) - Open a Pull Request
🌐 Translation
Translators are welcome! Please feel free to help translate into your language. How to help?
- Join the translation Discord
- Go to the project's Crowdin translation page: https://crowdin.com/project/openfront-mls
- Login if you already have an account / Sign up if you don't have one
- Join the project
- Select the language you want to translate in. If your language isn't on the list, click the "Request New Language" button and enter the language you want added there.
- Translate the strings
Feel free to ask questions in the translation Discord server!
Project Governance
- The project maintainer (evan) has final authority on all code changes and design decisions
- All pull requests require maintainer approval before merging
- The maintainer reserves the right to reject contributions that don't align with the project's vision or quality standards
Contribution Path for New Contributors
To ensure code quality and project stability, we use a progressive contribution system:
-
New Contributors: Limited to UI improvements and small bug fixes only
- This helps you become familiar with the codebase
- UI changes are easier to review and less likely to break core functionality
- Small, focused PRs have a higher chance of being accepted
-
Established Contributors: After several successful PRs and demonstrating understanding of the codebase, you may work on more complex features
-
Core Contributors: Only those with extensive experience with the project may modify critical game systems
How to Contribute Successfully
-
Before Starting Work:
- Open an issue describing what you want to contribute
- Wait for maintainer feedback before investing significant time
- Small improvements can proceed directly to PR stage
-
Code Quality Requirements:
- All code must be well-commented and follow existing style patterns
- New features should not break existing functionality
- Code should be thoroughly tested before submission
- All code changes in src/core MUST be tested.
-
Pull Request Process:
- Keep PRs focused on a single feature or bug fix
- Include screenshots for UI changes
- Describe what testing you've performed
- Be responsive to feedback and requested changes
-
Testing Requirements:
- Verify your changes work as expected
- Test on multiple systems/browsers if applicable
- Document your testing process in the PR
Communication
- Be respectful and constructive in all project interactions
- Questions are welcome, but please search existing issues first
- For major changes, discuss in an issue before starting work
Final Notes
Remember that maintaining this project requires significant effort. The maintainer appreciates your contributions but must prioritize long-term project health and stability. Not all contributions will be accepted, and that's okay.
Thank you for helping make OpenFront better!