Skip to content

[Security] Add input sanitization to prevent XSS attacks #13

Description

@niat-web

Security Issue

What:
User inputs (todo title, description) should be
sanitized before being saved to the database
and before being displayed on screen.

Why this is important:
Without sanitization, a malicious user could
type JavaScript code in a todo title like:

<script>alert('hacked')</script>

If this gets stored and displayed without
sanitization, it could execute in other
users' browsers (XSS attack).

Expected behavior:

  • Strip or escape HTML tags from user inputs
  • Sanitize on both frontend AND backend
  • Display text as plain text, never as HTML

Technical implementation:
Backend: Use bleach library to sanitize inputs
Frontend: React already escapes by default
but verify no dangerouslySetInnerHTML is used

Acceptance Criteria:

  • HTML tags stripped from todo title
  • HTML tags stripped from todo description
  • Sanitization happens before saving to database
  • Existing todos with HTML tags handled safely

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendRelated to FastAPI backendfrontendrelated to react frontendmedium-priorityShould be done but not immediately urgentsecurityrelated to security and authentication

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions