DavidMStraub
commented
4 years ago This turned out to be simpler than assumed since, except for the note content, there is no usage of innerHTML in the frontend, and lit-element is (mostly) safe from XSS thanks to HTML templating.
Thus, solved by 6f07892.
To prevent possible Javascript code injection, unwanted tags should be filtered out from the body of notes.
All other text fields should probably be stripped of all tags.