Unescaped HTML tags in the title, description and probably other fields in a card or board about wekan HOT 7 CLOSED

@fbroen

What maps?

What HTML tags?

What various places?

from wekan.

If this is about any new security issue, please follow security disclosure:

https://github.com/wekan/wekan/blob/main/SECURITY.md

from wekan.

But not escaping something is OK, when it does not create any kind of alert javascript popup like in XSS, because WeKan uses dompurify:

https://wekan.github.io/hall-of-fame/

from wekan.

It is a feature in WeKan, that is is possible to use some markdown and html for formatting.

from wekan.

@xet7
I would like to briefly explain the problem that I discovered today in more detail: We use a board to implement XML export files. For this purpose we also create cards where we mention XML tags.

We noticed the problem when we wrote the following for the title of a card: "The XML tag <person> needs to be changed to <pers>"

After saving the map or title, it only said "The XML tag needs to be changed to".

If html-tags are a feature for formating, is it possible to disable it for all boards or for one board?

from wekan.

@fbroen

Pull requests welcome.

https://github.com/wekan/wekan/blob/main/packages/markdown/src/template-integration.js#L76

Building WeKan and sending pull request:

http://github.com/wekan/wekan/wiki/Emoji

from wekan.

@xet7
Thank you for the information, but I'm not familiar with Node.js so I can't create a pull request. Maybe someone is also interessted in this feature. And we know it for the future to do not write something with < and >

from wekan.