feat(TournamentTab): add HTML escaping utility and improve player name rendering

- Introduced `escapeHtml` method to sanitize HTML content, enhancing security against XSS attacks. - Refactored player name rendering in tournament results to utilize the new HTML escaping method, ensuring safe display of player names and table data.
2026-05-12 23:23:04 +02:00
parent 48f71b9df1
commit 1e23171370
7 changed files with 1063 additions and 59 deletions
--- a/frontend/src/views/TournamentTab.vue
+++ b/frontend/src/views/TournamentTab.vue
@@ -1999,6 +1999,14 @@ export default {
                name2: this.getPlayerName(match.player2)
            };
        },
+        escapeHtml(value) {
+            return String(value ?? '')
+                .replace(/&/g, '&amp;')
+                .replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;')
+                .replace(/"/g, '&quot;')
+                .replace(/'/g, '&#039;');
+        },

        async loadTournaments() {
            try {
@@ -2507,9 +2515,8 @@ export default {

                // 8. Dialog mit Ergebnis anzeigen
                const rows = assignments.map(({ match, table }) => {
-                    const name1 = this.getPlayerName(match.player1);
-                    const name2 = this.getPlayerName(match.player2);
-                    return `<tr><td style="font-weight:bold; padding:0.35rem 0.75rem;">${table}</td><td style="padding:0.35rem 0.75rem;">${name1}</td><td style="padding:0.35rem 0.75rem;">${name2}</td></tr>`;
+                    const { name1, name2 } = this.getMatchPlayerNames(match);
+                    return `<tr><td style="font-weight:bold; padding:0.35rem 0.75rem;">${this.escapeHtml(table)}</td><td style="padding:0.35rem 0.75rem;">${this.escapeHtml(name1)}</td><td style="padding:0.35rem 0.75rem;">${this.escapeHtml(name2)}</td></tr>`;
                });
                const html = `<table style="margin:0.75rem auto; border-collapse:collapse; color:#000;"><thead><tr><th style="padding:0.35rem 0.75rem; border-bottom:2px solid #ccc; text-align:left;">${this.$t('tournaments.table')}</th><th style="padding:0.35rem 0.75rem; border-bottom:2px solid #ccc; text-align:left;">${this.$t('tournaments.playerOne')}</th><th style="padding:0.35rem 0.75rem; border-bottom:2px solid #ccc; text-align:left;">${this.$t('tournaments.playerTwo')}</th></tr></thead><tbody>${rows.join('')}</tbody></table>`;