|
profiles[0][profNum] = ( |
|
document.querySelector(`#nameProf${profNum}`) as HTMLInputElement |
|
).value; |
^ Just the first instance I found.
Zero validation (mostly) that any user input isn't going to crash the code.
Admitting, everything is client-side, so it's not a real issue, which is why I'm not filing a security advisory or whatnot and just posting it in an issue.
Who is going to try to break their own map?
Maybe it allows a malicious bookmarklet? IDK.
See also: The Dangers of Square Bracket Notation
psdtools.github.io/packages/phs-map/src/script.ts
Lines 342 to 344 in a649be1
^ Just the first instance I found.
Zero validation (mostly) that any user input isn't going to crash the code.
Admitting, everything is client-side, so it's not a real issue, which is why I'm not filing a security advisory or whatnot and just posting it in an issue.
Who is going to try to break their own map?
Maybe it allows a malicious bookmarklet? IDK.
See also: The Dangers of Square Bracket Notation