Inserted todos do not get escaped

rockiger / akiee

A Markdown-based task manager for hackers and people who build stuff.

http://rockiger.com/en/akiee/index

Other

126 stars 10 forks source link

Open Kasalehlia opened 9 years ago

Kasalehlia commented 9 years ago

When entering new todos the HTML special characters (<,>,&) are not escaped, leading to two problems:

Tag injection: It is possible to inject arbitrary HTML tags, including <script>
incomplete tags, unclosed tags and incomplete ampersand escapes break the state change

A possible fix would be to properly escape the content of the todos before displaying them in the Board etc.

rockiger commented 9 years ago

Thanks for sharing. This will be fixed with the next version, due to the use of react.