Problem
The EventForm component does not escape color label attributes, creating a potential XSS vector if color configuration becomes user-provided in the future.
Affected Code
src/components/EventForm.js:260-261
const colors = [
{ name: 'Red', hex: '#ff0000' },
// ...
];
// In template:
title="\${c.label}" // Unescaped
aria-label="\${c.label}" // UnescapedCurrent Status
Color labels are currently hardcoded, so there is no immediate risk. However, this is a defensive coding issue — if color configuration becomes user-provided or externally sourced, this becomes an XSS vulnerability.
Solution
Add escapeHTML() calls (already available in the module) when interpolating color labels in the template:
title="\${escapeHTML(c.label)}"
aria-label="\${escapeHTML(c.label)}"This ensures that if color labels become dynamic, the template is protected by default.
Problem
The EventForm component does not escape color label attributes, creating a potential XSS vector if color configuration becomes user-provided in the future.
Affected Code
src/components/EventForm.js:260-261Current Status
Color labels are currently hardcoded, so there is no immediate risk. However, this is a defensive coding issue — if color configuration becomes user-provided or externally sourced, this becomes an XSS vulnerability.
Solution
Add escapeHTML() calls (already available in the module) when interpolating color labels in the template:
This ensures that if color labels become dynamic, the template is protected by default.