Poor security practice in first tutorial

#1

Hi!

In the first Hello World tutorial, there is a line:

document.getElementById('heading-name').innerHTML = person.name()

Anyone that puts HTML (or a less than sign, etc) in their name will get interesting results.

-s

4 Likes
#3

Both the docs and the generators are actively being worked on.
Not sure this part is worth fixing though since the hello-blockstack isn’t really supposed to be used in production I don’t think.

2 Likes