Issue tracker & Personal library 'example solutions' are NOT XSS protected

Issue tracker & Personal library 'example solutions' are NOT XSS protected
0

#1

One thing i noticed in the “solution example” shown for [Personal Library project] ( https://spark-cathedral.glitch.me ) is that it is NOT XSS protected, here is example of what i was able to do in it by adding <h1> and<img> tags aswell as <script> in comments:

Same thing is for Issue tracker project (i haven’t tested others).

This could be fixed by escaping < and > tags before sending it to client, for example:

// converts < to &lt and > to &gt preventing XSS attack
function escapeMini(string) {
  return string ? string.replace(/[<]/g, '&lt').replace(/[>]/g, '&gt') : '';
}

Here is my solution for issue tracker that uses this function: https://fcc-issue-tracker-project.glitch.me/apitest/


#2

Thank you for helping make FCC better. Bugs should always be reported as GitHub Issues. Whenever reporting a bug, please check first that there isn’t already an issue for it and provide as much detail as possible.


#3

Yep, when you go to https://protective-garage.glitch.me/apitest/ which is the test app you can see that folks have been leaving alerts scripts there.