DOM-based XSS vulnerability in the Get Things Done Activity

[aryan-02]

If you type HTML/CSS/JavaScript code as a to-do list item, it runs perfectly and can even be used to modify elements of the UI.
Here's how to replicate:
Open the "Get Things Done" Activity
Copy and paste the following as an item in the To-Do list, and enjoy watching the UI get ruined:

<style>*{background:red!important;border: 5px solid green!important; transition: all 0.5s; }*:hover{transform: scale(1.01)translateX(5px)}</style> <button style="color:white!important;background:black!important;" onclick="alert('Hello World')">Click Me!</button>

Here's how I think this can be fixed:
When enter is pressed, use JavaScript to generate an iframe whose contents will be the text (or code) entered in the textarea. This will make sure the styles are applied only to what's there inside the box and not what's in the rest of the UI.
This should help in the implementation:
https://www.tutorialrepublic.com/faq/how-to-insert-html-content-into-an-iframe-using-jquery.php
https://www.tutorialrepublic.com/codelab.php?topic=faq&file=jquery-inject-html-into-an-iframe-from-the-textarea

[llaske]

Nice.
Not in favor of fixing by iframe, it's not a good practice.

[conscioustahoe]

The XSS attack can be handled by replacing any text ,that appears to be code(HTML/CSS/JavaScript)
by replacing it with an empty string.

[llaske]

Code of Get Things Done activity is located https://github.com/llaske/sugarizer/tree/dev/activities/GetThingsDone.activity

[samyok]

Would it be fixed by just encoding HTML?

For example, turning "&" into "&", "<" to "<", etc.

[aryan-02]

@nepaltechguy2 I suppose yes.

[llaske]

Fixed in aec4166

[aryan-02]

Closing the issue, since it's fixed.