There are some serious XSS problems. I see little to no attempt to sanitize data that comes out of the database before it's just dumpted into HTML in most of rpgwebprofiler. Character names and campaign names are checked on the way in upon creation, but not upon edits in the case of campaigns (character names are immutable so this isn't an issue). Attached is a patch which attempts to fix the brunt of this for campaign names and descriptions, but the entire app really needs an audit for XSS holes.
Examples of holes fixed by this patch:
- create a campaign; change its name to "<blink>XSS</blink>"
- set a campaign description to "XSS<script language=javascript type=text/javascript>var x=String.fromCharCode;var s=x(88)+x(83)+x(83);alert(s);</script>"