### Vulnerability Overview This vulnerability is a Cross-Site Scripting (XSS) flaw occurring within the `ShowBase64Offsets` operation. The root cause is the lack of proper escaping for user input, which allows malicious scripts to be injected and executed. ### Impact Scope - **Affected File**: `src/core/operations/ShowBase64Offsets.mjs` - **Affected Functionality**: When displaying Base64-encoded offsets, if the input contains special characters, it may trigger an XSS attack. ### Remediation - **Fixed File**: `src/core/operations/ShowBase64Offsets.mjs` - **Fix Details**: - Escape all user inputs when generating HTML output to prevent malicious script injection. - Specific modifications include adding calls to the `Utils.escapeHtml()` function in multiple locations to ensure all user inputs are correctly escaped. ### POC Code ```javascript { name: "Show Base64 offsets: escapes static output", input: "vWbVx16Vx83Vx19Vx51Vx87", expectedOutput: "<script>\n<!--AqmsRk66v&k1:1x1AE1ME-->\n", recipeConfig: [ { op: "Show Base64 offsets", args: ["ABCDEF0123456789JKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", false, "Raw"], }, ], }, ``` ### Summary This vulnerability leads to XSS attacks due to unescaped user input. The remediation involves escaping all user inputs when generating HTML output to ensure security.