yairEO
commented
1 week ago I will pass on this, thanks. Sanitization should be done in the backend and not the frontened. This has been my policy for decades.
Even if it was so, it should be done by whoever implements Tagify, right before the data is sent to the server, and not within Tagify itself
This PR fixes a possible XSS issue by making sure that text input is handled the same way as tag values. Tagify already escapes HTML in tags to prevent XSS, and this PR adds the same protection for regular text input.