Security Issue
What:
User inputs (todo title, description) should be
sanitized before being saved to the database
and before being displayed on screen.
Why this is important:
Without sanitization, a malicious user could
type JavaScript code in a todo title like:
<script>alert('hacked')</script>
If this gets stored and displayed without
sanitization, it could execute in other
users' browsers (XSS attack).
Expected behavior:
- Strip or escape HTML tags from user inputs
- Sanitize on both frontend AND backend
- Display text as plain text, never as HTML
Technical implementation:
Backend: Use bleach library to sanitize inputs
Frontend: React already escapes by default
but verify no dangerouslySetInnerHTML is used
Acceptance Criteria:
Security Issue
What:
User inputs (todo title, description) should be
sanitized before being saved to the database
and before being displayed on screen.
Why this is important:
<script>alert('hacked')</script>Without sanitization, a malicious user could
type JavaScript code in a todo title like:
If this gets stored and displayed without
sanitization, it could execute in other
users' browsers (XSS attack).
Expected behavior:
Technical implementation:
Backend: Use bleach library to sanitize inputs
Frontend: React already escapes by default
but verify no dangerouslySetInnerHTML is used
Acceptance Criteria: