The HandleReqUpdatePlayerName method accepts a player name from a client-supplied packet and passes it directly to the UpdatePlayerName method without any validation or sanitization. An attacker could provide an arbitrarily long string, leading to a Denial of Service (DoS) by consuming database space or memory. Furthermore, if this name is later rendered in a UI without proper escaping, it could lead to Cross-Site Scripting (XSS) or other injection attacks. Implement strict validation on the PlayerName input, including a maximum length check and potentially a whitelist of allowed characters.
Originally posted by @gemini-code-assist[bot] in #80 (comment)
The
HandleReqUpdatePlayerNamemethod accepts a player name from a client-supplied packet and passes it directly to theUpdatePlayerNamemethod without any validation or sanitization. An attacker could provide an arbitrarily long string, leading to a Denial of Service (DoS) by consuming database space or memory. Furthermore, if this name is later rendered in a UI without proper escaping, it could lead to Cross-Site Scripting (XSS) or other injection attacks. Implement strict validation on thePlayerNameinput, including a maximum length check and potentially a whitelist of allowed characters.Originally posted by @gemini-code-assist[bot] in #80 (comment)