Inline issue auto complete (#) doesn't sanityze HTML tags
|Assignee:||Jean-Philippe Lang||% Done:|
If referring a issue that have a HTML tag in subject, the tag is rendered as an object in the auto complete tip.To reproduce
- Create one issue with a subject like
Test <select> tag
- Start a new issue, go to description field and type issue number created above
- We should display something like
Feature #xxxx Test <select> tag
- We display a
selectobject rendered in the tip, like image bellow
This can be dangerous,as some one can inject HTML
#7 Updated by Marius BALTEANU 3 months ago
Please try this new version, it should work as expected with one mention: the letters that match the search are no longer highlighted.
Also, instead of the
sanitzeHTML function, I think it's better to use a library like https://lodash.com/docs/4.17.15#escape, but I'm not sure how to add it without copying the code or by using a module bundler like webpack. @Jean-Philippe, any recommendations on this?