From 3408f96df48c9af2a284649dfafa6a074b55c4e7 Mon Sep 17 00:00:00 2001
From: enki <enki@null.net>
Date: Wed, 28 Dec 2022 22:44:46 +0900
Subject: [PATCH] Fix XSS vulnerability in spectator name list

---
 src/game-ui.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/game-ui.ts b/src/game-ui.ts
index d9d9337..2824c04 100644
--- a/src/game-ui.ts
+++ b/src/game-ui.ts
@@ -178,9 +178,11 @@ export class GameUi {
           continue;
         }
 
-        this.elements.spectators.insertAdjacentHTML("beforeend", `
-          <div class="mt-2 badge badge-success w-100 py-2" data-spectator-id="${key}">${value}</div>
-        `);
+        const spectatorName = document.createElement('div');
+        spectatorName.className = "mt-2 badge badge-success w-100 py-2";
+        spectatorName.dataset.spectatorId = key;
+        spectatorName.innerText = value;
+        this.elements.spectators.insertAdjacentElement('beforeend', spectatorName);
       }
       this.isSpectating = this.client.spectators.get(this.client.playerId()) !== null;
       this.spectatorOverlay.setEnabled(this.isSpectating);