Closed oliverklee closed 8 years ago
I see this needs done still. I can implement and submit a PR today.
I don't think this solution is the right way to go. (HTML) Escaping should not happen when data is stored. Instead, the escaping should be done in context-specific way when the data is used, i.e., the HTML escaping needs to happen when the data is inserted in the HTML.
yeah I agree, sorry I didn’t pay enough attention when merging it. my-first-hoodie
will soon be legacy, it’s not used by the new Hoodie anymore. But we have a new demo app: https://github.com/hoodiehq/hoodie-app-tracker – it might be affected by the same issue :) Wanna have a look?
Done. That version also is vulnerable … I'll file a ticket in a minute.
The paint() function in main.js has a cross-site scripting vulnerability:
How to reproduce:
Add a to-do item with the following title: "/>
The text needs to be escaped (more correctly: encoded): https://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery