XSS vulnerability in How to get started tutorial JavaScript

[oliverklee]

The paint() function in main.js has a cross-site scripting vulnerability:

  $el.append(
    '<li data-id="' + collection[i].id + '">' +
      '<input type="checkbox"> <label>' + collection[i].title + '</label>' +
      '<input type="text" value="' + collection[i].title + '"/>' +
    '</li>'
  );

How to reproduce:

Add a to-do item with the following title:

"/><script>alert(1);</script>

The text needs to be escaped (more correctly: encoded): https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery

[oliverklee]

The priority set in part 2 of the tutorials also needs to be escaped.

[oliverklee]

Oh, I'm not quite sure whether this bug report actually belongs to the tutorial (i.e, in this project) or in one of the other hoodie projects.

[oliverklee]

I've entered the same ticket at my-first-hoodie: https://github.com/hoodiehq/my-first-hoodie/issues/82

The XSS in the priorities still need to be fixed in the documentation, and the documentation also needs to be updated once the vulnerability in my-first-hoodie is fixed.

[gr2m]

Thanks a ton @oliverklee! I’ve seen your other issue, too. I will look into it as fast as possible, but likely not before christmas. Maybe someone else finds some time?

[gr2m]

just a quick note that I did not forget about it. I’m going trough my long list of todos right now. I need to take care of other things first, but won’t forget about this and https://github.com/hoodiehq/my-first-hoodie/issues/82. Thanks again Oliver!

[gr2m]

sorry that we still didn’t get to fix these, I got it on my list, I hope to get to it soon