HTML input is not escaped

[BenjaminHofstetter]

• [ ] System Information

  • [ ] Browser type and version: any
  • [ ] OS type and version: any

• [ ] Describe the bug Potential Cross-Site Scripting (XSS) vulnerability

• [ ] To Reproduce

  1. Go to https://tarekraafat.github.io/autoComplete.js/demo/
  2. paste <img/src='x'/onerror='alert(8)'> into the input field

• [ ] Expected behavior HTML input is not escaped.

[folknor]

https://tarekraafat.github.io/autoComplete.js/#/usage

[tpluscode]

Curious, what kind of flexibility is mentioned here?

When I type markup in a combo box, I do not see circumstances in which I'd want that added actual DOM to the page