Open oliverklee opened 8 years ago
The priority set in part 2 of the tutorials also needs to be escaped.
Oh, I'm not quite sure whether this bug report actually belongs to the tutorial (i.e, in this project) or in one of the other hoodie projects.
I've entered the same ticket at my-first-hoodie: https://github.com/hoodiehq/my-first-hoodie/issues/82
The XSS in the priorities still need to be fixed in the documentation, and the documentation also needs to be updated once the vulnerability in my-first-hoodie is fixed.
Thanks a ton @oliverklee! I’ve seen your other issue, too. I will look into it as fast as possible, but likely not before christmas. Maybe someone else finds some time?
just a quick note that I did not forget about it. I’m going trough my long list of todos right now. I need to take care of other things first, but won’t forget about this and https://github.com/hoodiehq/my-first-hoodie/issues/82. Thanks again Oliver!
sorry that we still didn’t get to fix these, I got it on my list, I hope to get to it soon
The paint() function in main.js has a cross-site scripting vulnerability:
How to reproduce:
Add a to-do item with the following title:
The text needs to be escaped (more correctly: encoded): https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery