Hi! Thanks for reporting.
I just have two comments:
Nest does sanitise HTML, by using a standard markdown parser/renderer. Let's try it with backquotes: <usize>.
This issue would belong more in [/pijul_org/nest], but it's ok to keep it here.
For example: The following text should appear as "< b > test < / b >", without spaces, instead of appearing as bold text:
This should be fixed urgently because it allows cross-site scripting attacks.
Oops, thanks a lot for reporting that, this is indeed urgent.
Pijul is already protected against XSRF, but running arbitrary JS would allow the attacker to get the user's cookies, which is really bad.
Is there a standard solution to this?
I fixed this long ago, but for some reason forgot to close this issue. Thanks for reporting!