Shared notes
panel is vulnerable to XSS when rendering a new note, due to missing username sanitization.
<img%20src=#%20onerror=alert(document.cookie)>
document.cookie
value ).XSS vulnerabilities allow attackers to inject arbitrary javascript code to other users browser, leading to stealing user session cookies, defacing website, performing phishing and many others attacks.
User inputs should be always sanitized against such attacks to prevent attackers injecting malicious code.
Is also important to perform output encoding in order to prevent unwanted code execution.