Issue tracker & Personal library 'example solutions' are NOT XSS protected

DaniloNovakovic · September 13, 2018, 7:48am

One thing i noticed in the “solution example” shown for [Personal Library project] ( https://spark-cathedral.glitch.me ) is that it is NOT XSS protected, here is example of what i was able to do in it by adding <h1> and <img> tags aswell as <script> in comments:

Same thing is for Issue tracker project (i haven’t tested others).

This could be fixed by escaping < and > tags before sending it to client, for example:

// converts < to &lt and > to &gt preventing XSS attack
function escapeMini(string) {
  return string ? string.replace(/[<]/g, '&lt').replace(/[>]/g, '&gt') : '';
}

Here is my solution for issue tracker that uses this function: https://fcc-issue-tracker-project.glitch.me/apitest/

ArielLeslie · September 13, 2018, 2:45pm

Thank you for helping make FCC better. Bugs should always be reported as GitHub Issues. Whenever reporting a bug, please check first that there isn’t already an issue for it and provide as much detail as possible.

spam-man · September 24, 2018, 7:20pm

Yep, when you go to https://protective-garage.glitch.me/apitest/ which is the test app you can see that folks have been leaving alerts scripts there.

Topic		Replies	Views
Quality Assurance - Issue Tracker	3	337	November 26, 2023
https://boilerplate-infosec-6.lesathish75.repl.co JavaScript	2	250	November 15, 2021
Information Security with HelmetJS - Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter() JavaScript	2	77	January 8, 2025
freeCodeCamp Challenge Guide: Mitigate the Risk of Cross Site Scripting (XSS) Attacks with helmet.xssFilter() Guide	1	3817	January 8, 2025
ISQA_4 - Issue Tracker Code Feedback	1	720	June 1, 2021

Issue tracker & Personal library 'example solutions' are NOT XSS protected

Related topics