jkk / eidogo Goto Github PK

How can i fix this?

The number marker increments for each successive placed marker, however, upon using "clear marker" and placing another number, the value is the next incremented number.

Example:

1. select "Number" from Tool drop-down.
2. Place marker on board. Expected Value: 1
3. Clear the marker (If possible. There is another issue with clear marker)
4. Place marker on board. Expected Value: 1, Actual: 2

What should happen instead is the highest value placed should be the lowest+1 of the current collection of markers.

When using both tree view and shortcut after reusing the same container and playing the mark "current node" stay on several nodes on the tree view.

example:

var player = new eidogo.Player({
        container:       "player-container", // HTML element id indicating where to put the player
        theme:           "standard", // "standard" or "compact"
        sgfUrl:          "sgf/example.sgf", // relative URL (within same domain) to SGF file to load 
        loadPath:        [0, 0], // The location within the game tree to start at
        mode:            "play", // "play" or "view"
        showComments:    true,
        showPlayerInfo:  true,
        showGameInfo:    true,
        showTools:       true,
        showOptions:     true,
        showNavTree:     true,
        markCurrent:     true,
        markVariations:  true,
        markNext:        false,
        enableShortcuts: true,
        problemMode:     false
    });
    var player = new eidogo.Player({
        container:       "player-container", // HTML element id indicating where to put the player
        theme:           "standard", // "standard" or "compact"
        sgfUrl:          "sgf/example.sgf", // relative URL (within same domain) to SGF file to load 
        loadPath:        [0, 0], // The location within the game tree to start at
        mode:            "play", // "play" or "view"
        showComments:    true,
        showPlayerInfo:  true,
        showGameInfo:    true,
        showTools:       true,
        showOptions:     true,
        showNavTree:     true,
        markCurrent:     true,
        markVariations:  true,
        markNext:        false,
        enableShortcuts: true,
        problemMode:     false
    });

then press several time on right key

The custom labels "circle", "square", "triangle", and "ex" (cross) produce the corresponding basic shape markup instead of a label with the given string.

Uploading the SGF file string "(;LB[aa:ex])" places a cross in the upper left, and subsequently downloading the SGF still returns "(;LB[aa:ex])".

When using the "black stone" or "white stone" tools to add/remove stones, the editor will place setup properties (AB, AW, AE, etc.) to be placed alongside move properties (B, W, etc.).

The SGF standard specifies that this is illegal for FF[4].
http://www.red-bean.com/sgf/sgf4.html#2.2.1

Variations can be edited/extended in the problem mode, which causes the original programming of the problem to be overridden.

For example, clicking on the back button after an automatic response move then allows the user to change and override the programmed response. Also, after reaching the end of a variation, the user can freely play both colors creating a new sequence of automatic responses.

eidogo.com is vulnerable to LFI in the SGF file upload in "Fetch SGF from a URL".
A malicious actor can exploit this vulnerability to retrieve sensitive files that stored in the server

Here are examples exploiting this vulnerability:

1. http://eidogo.com/backend/fetch.php?url=../../../../../etc/mtab
2. http://eidogo.com/backend/fetch.php?url=../../../../../etc/passwd

• Vulnerable code:

https://github.com/jkk/eidogo/blob/master/backend/upload.php#L32-#L37

• Mitigation:

User controlled input must be sanitized.

http://www.dragongoserver.net/game.php?gid=769859 does not load.
possibly related to this line

looks like EidoGo is fatally flawed for not taking all board sized into account.

Hello Go friends, I'm seeking a way to keep getting the current Move number to as the user move forward or backwards, I'm not sure where is a good point to start looking, please help, thnx

Hello eidogo developers,

I'm writing a tsumego solving js library and found that eidogo can simplify my debugging experience: eidogo can render the search tree and help me understand where the algorithm chose a wrong way. Essentially I need from eidogo a few things:

1. Render SGF.
2. Move to the "current" node in the SGF.
3. Play a move.
4. Make a pass.
5. Undo the move.

It's clear how to render SGF from the samples, but it doesn't seem so clear how to do the rest. Since I couldn't find an interface definition of eidogo, I had to see in debugger how the UI achieves what I need: I put a breakpoint in player.js, click on the board and see what happens. So far I've figured out that in order to play a move it does .playMove, .board.commit and .board.render: this seems to add the move, but doesn't update the game tree.

It would be nice to have the eidogo's interface in form of a TypeScript's .d.ts file:

declare module eidogo {
  interface Player {
    /** move = "ca", color = -1 (white) */
    playMove(move: string, color: number);
    board: {
      commit(): void;
      render(): void;
    }
  }
}

Thanks.

For example, in http://eidogo.com/#3lyWFDzxv:0,0, after BJ17, WJ17, BK15, the node for the WL17 continuation has the wrong parent.

Auto-detect support for new a[download] attribute, and use it to download games where there's no pre-existing download link, in preference to DataURIs.

When I load my game into eidogo via this URL:
http://eidogo.com/#url:http://online-go.com/api/v1/games/938171/sgf

and then open the Chrome Developer Tools, the console yields this stack backtrace:

Uncaught TypeError: undefined is not a function
eidogo.Player.showComments 
eidogo.Player.execNode
eidogo.Player.refresh 
eidogo.Player.goTo 
eidogo.Player.load
eidogo.SgfParser.init
eidogo.SgfParser

On Mozilla Firefox, I get: TypeError: _13f.replace is not a function

On Safari, the call to .showComments() leads to this error:

TypeError: undefined is not a function (evaluating '_13f.replace(/^(\n|\r|\t|\s)+/,"")')

When placing a letter marker, clearing it, and placing again, the next letter in alphabet is used.

Example:

1. Place Letter marker. Expected: "A"
2. Clear marker.
3. Place Letter marker. Expected: "A", Actual: "B"

The highest letter should be the lowest+1 of all current letter markers.

When placing a marker, and then trying to clear it, it does not work. This happens when there is one marker.

Example:

1. Place Letter marker.
2. Clear marker. Expected: The marker is cleared. Actual: The marker is not cleared.
3. Place another Letter marker.
4. Clear first marker. Expected: The marker is cleared. Actual: The marker is cleared.

test issue

Clear Marker tool seems to only work on Letter and Number marks.

I have tested this on Chrome and Safari for Mac.

This is an issue because a position cannot be deleted unless all properties are removed.

At the moment I cannot find a way to remove Triangle, Square, Circle or X marks from a position.

http://eidogo.com/upload

Under the option "paste raw SGF" I tried opening an SGF file in notepad and got this text: https://pastebin.com/raw/PaFjvbr6

When I copy/paste it into the eidogo box, I get an error that says "Received invalid game data". Am I doing it correctly? What does eidogo want when it says to input raw SGF?

Backup link: https://www.reddit.com/r/baduk/comments/lzmcof/how_to_upload_raw_sgf_to_eidogocom/

One can place Letter markers beyond Z at which point the special characters are used until a-z are used. After these, the other special characters are used. When these are used up, no further character is placed.

It should only go through A-Z and then a-z. Beyond that, "Custom Label" should be used.

I would love to see eidogo use query parameters to identify games, like this:

http://eidogo.com/?game=abcdefg

instead of (or alternative to) the current implementation which uses fragment identifiers

http://eidogo.com/#abcdefg

This would solve a problem on reddit (which uses eidogo.com quite a bit), where reddit only allows a single story to link to a given page. Fragments are intended to identify a location in a page, rather than a separate page, so reddit currently sees all fragments on the same base URL as the same page. Using unique query strings would allow sites like reddit to distinguish between different games, and help users post review requests for their games.

If a basic shape (circle, square, triangle, or cross) is used to mark a variation, instead of showing the shape, the name of the shape is shown as if it were a custom label.

The score estimator seems to stop processing moves beyond any move that has a ] in the comments.

Example: http://www.dragongoserver.net/sgf.php?gid=596669, you don't get anything except the score from the first move or two. If I remove the close brackets, it works as expected. I believe they are properly escaped.

EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input.

There are actually two separate XSS vulnerabilities:

1. Text from comments and game info are unsafely added into the DOM directly via innerHTML.
2. Any file loaded from URL that begins with a left-curly bracket "{" is assumed to be JSON and unsafely parsed with eval.

Here are examples exploiting each vulnerability:
http://eidogo.com/#xqRLkZhw
http://eidogo.com/#AKilSuG4

A patch attempting to mitigate these security vulnerabilities was submitted in this pull request:
#26
See this pull request for more discussion of the changes.

Note that the pull request does not include an updated minified file. However, a minified file incorporating this patch has been prepared by the OGS developers and is available here:
http://cdn.online-go.com/eidogo.min.js
Compare with:
https://raw.githubusercontent.com/jkk/eidogo/master/player/js/all.compressed.js

The identifier "CVE-2015-3172" has been assigned to refer to this issue.

Disclosure timeline:
April 7, 2015: Privately notified developer of security vulnerability
April 13: Developer acknowledged notification
May 12: Pull request submitted (as requested by developer)
May 14: Webmasters of several affected sites notified in advance
June 14: Public disclosure (having not heard back from developer since before the pull request)