XSS In User-Generated content in Show Text Effect

[Gatorzgaming]

Haven't had time to look into it more throughly but I jokingly tried (with their permission) to do <script>alert('XSS')</script> into one of their commands and then the overlay broke (didn't disappear and stayed on screen with the text being empty) and the text stayed on screen. I'll try to look into this more when I get a chance but wanted to put this on y'all's radar if it is an issue.

[dennisrijsdijk]

We'd really prefer to speak directly with the streamer on this, as we need to understand in which part of their setup this happens. Is there any chance they could either join this github issue, or create a thread in the discord server?

[Gatorzgaming]

They're in the discord now and have been @ in the related discord thread in the issue channel

[dennisrijsdijk]

As mentioned in the discord thread, this is a result of show text not escaping HTML originating from replace variables. This can be addressed in userspace by wrapping the input in $encodeForHtml eg. $encodeForHtml[$target] but it would be nice if Firebot could address this as well.