Javascript injection feasible
chris68 opened this issue · comments
chris68 commented
If I enter
Check javascript
<script>
alert("Hi!");
</script>
in the editor and press the preview button I get a 'Hi' box. Not really desirable...
Github handles that correctly (as you can easily test with this bug report)
Kartik Visweswaran commented
Resolved and closed via commit 9425e14. Thanks for reporting. Injected Scripts/Xss will be removed. To embed a script as text escape the '>' character like this:
<script\>alert ("Hello")</script\>