One thing i noticed in the “solution example” shown for [Personal Library project] ( https://spark-cathedral.glitch.me ) is that it is NOT XSS protected, here is example of what i was able to do in it by adding <h1>
and <img>
tags aswell as <script>
in comments:
Same thing is for Issue tracker project (i haven’t tested others).
This could be fixed by escaping <
and >
tags before sending it to client, for example:
// converts < to < and > to > preventing XSS attack
function escapeMini(string) {
return string ? string.replace(/[<]/g, '<').replace(/[>]/g, '>') : '';
}
Here is my solution for issue tracker that uses this function: https://fcc-issue-tracker-project.glitch.me/apitest/