search

mikaeljorhult / brackets-todo

Brackets/Edge Code extension that displays all TODO comments in current document or project.
144 stars 37 forks source link

Security issue #89

Closed glepretre closed 10 years ago

glepretre commented 10 years ago

First of all I would like to thank you for this extension, it makes me save a lot of time! :wink:

I noticed a very strange behavior this morning: in one of my projects I have an HTML element in a TODO comment like // TODO <select>

And it showed up in the Todo panel! selection_007

I then tried these TODO comments:

// TODO <input>
// TODO <script>alert('security issue')</script>

Both are working, the first one is creating an input into the Todo panel, the second one is opening an alert when saving file.

mikaeljorhult commented 10 years ago

Yes, you right. I overlooked it when implementing the recognition of mentions and issues. 0.7.1 will be released shortly to address this.

Thank you for pointing it out!