Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Any user-provided string rendered into HTML without escapeHtml, or any innerHTML / dangerouslySetInnerHTML with attacker-controlled content.

Likely surfaces

  • All scoreboard templates (apps/scoreboard/src/templates/)
  • The wiki — Astro content, but custom Astro components could miss escaping
  • Field Notes editor preview if it renders unescaped HTML
  • Career Board / Task Exchange listings with user descriptions
  • Bot replies if they re-emit user input into formatted messages with HTML-like sinks (Markdown → HTML pipelines)

Stored vs reflected

Stored XSS (persisted in D1, rendered to other users) → medium minimum, often high if it executes for admin. Reflected XSS (URL-only) → low/medium. Self-XSS only → out of scope.

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top