Issue tracker & Personal library 'example solutions' are NOT XSS protected

One thing i noticed in the “solution example” shown for [Personal Library project] ( ) is that it is NOT XSS protected, here is example of what i was able to do in it by adding <h1> and <img> tags aswell as <script> in comments:

Same thing is for Issue tracker project (i haven’t tested others).

This could be fixed by escaping < and > tags before sending it to client, for example:

// converts < to &lt and > to &gt preventing XSS attack
function escapeMini(string) {
  return string ? string.replace(/[<]/g, '&lt').replace(/[>]/g, '&gt') : '';

Here is my solution for issue tracker that uses this function:

1 Like

Thank you for helping make FCC better. Bugs should always be reported as GitHub Issues. Whenever reporting a bug, please check first that there isn’t already an issue for it and provide as much detail as possible.

Yep, when you go to which is the test app you can see that folks have been leaving alerts scripts there.