Textarea parsing HTML - Githubissues

ivirabyan / jquery-mentions

Adds mentioning support to your text fields.

http://ivirabyan.github.io/jquery-mentions/

MIT License

114 stars 49 forks source link

Textarea parsing HTML #21

Closed charlie-eth closed 9 years ago

charlie-eth commented 9 years ago

So I'm not sure how much of an issue this is as long as there is proper server side sanitizing but typing something like an alert inside the textarea with the below code will execute the alert, can this behaviour be prevented?

This:

<textarea class="bla"></textarea>
<script>
    $('.bla').mentionsInput({
        source: 'media/view/get_users',
        showAtCaret: true
    });

</script>

Will execute anything typed in such as this:

<script>alert('hello');</script>

ivirabyan commented 9 years ago

This is definitely a wrong behaviour, I'll investigate tomorrow. Thank you.

charlie-eth commented 9 years ago

Any word on this?

ivirabyan commented 9 years ago

Fixed this