Reflected-XSS/HTML Injection

[satu0king]

Describe the bug
A user sent this mail

This is a seemingly minor bug, but it is identical to the self-retweeting tweet so it should probably be addressed immediately. If HTML is placed into the title of the project, it is interpreted as such by the editor. This only does anything in the editor, and all other situations are either protected or do not show the title. Script tags are the scary part.

I think everywhere, the text is escaped when rendered. However here, it is client-side rendering and is manually injected by javascript. It is not very critical as only the author can actually see the edit page but it will affect someone who forks the same circuit.

Are you working on this issue? (Yes/No)
No

[woswos]

I want to work on this, and I think this is a quite serious issue.

I have a way to fix it in my mind. I tried to find the exact code piece that dynamically changes the title based on the project properties entry. I might need some help to locate that code piece and apply the fix.

[SubhajitCode]

#375 this is the critical varient as all the users will be affected by this vector

[github-actions]

No activity on this issue for a prolonged duration, will be closed in few days if no further activities in next 7 days