Critical XSS Vulnerability in Overlay Leaderboard Allows Script Injection via Twitch Chat Input

A critical cross-site scripting (XSS) vulnerability has been identified in the overlay leaderboard component (`overlay/static/index.html`), potentially allowing malicious actors to inject arbitrary HTML or JavaScript code into the rendered page. The flaw stems from direct injection of user-supplied data—specifically `entry.word` sourced from Twitch chat messages—into the Document Object Model (DOM) using `innerHTML` without any sanitization or escaping. A researcher flagged the issue as critical severity, raising urgent concerns about exposure in any deployment where the overlay integrates with live Twitch streams.

The vulnerable code pattern appears in the leaderboard render loop, where dynamic values are interpolated directly into HTML strings. The primary exposure involves this line: `row.innerHTML = \`<span class="top-word">${entry.word}</span>\`;`. Because `innerHTML` parses inserted content as HTML rather than plain text, an attacker submitting a crafted guess containing script tags or event handlers through Twitch chat could achieve arbitrary code execution in the browsers of anyone viewing the overlay. The same unsafe pattern should be assumed to affect other dynamic values including `entry.user`, scores, and target words.

The recommended remediation replaces `innerHTML` assignments with DOM node creation using `textContent`, which automatically escapes HTML entities and prevents injection. The fix involves constructing elements programmatically—for example, creating a `span` element, setting its class, then assigning `entry.word` to `textContent` rather than concatenating it into markup. Security reviewers note this pattern must be applied consistently across all dynamic content injection points in the component. Any deployment of this overlay should be prioritized for patching, as the vulnerability is actively exploitable through public Twitch chat integration.