[r3bl]

Can I suggest either carefully stripping away user input or not using it at all in questions?

Clear security issue appeared when I typed:

    <script>alert("this is bad")</script>

...as a reason of my procrastination: https://imgur.com/a/Xmdi9VQ

EDIT: Further reading: https://en.wikipedia.org/wiki/Cross-site_scripting

[ChristianBundy]

This is just a self-XSS: https://en.wikipedia.org/wiki/Cross-site_scripting#Self-XSS

If it were a reflected XSS you could trigger it with something like https://whydoiprocrastinate.com/#%3Cscript%3Ealert%28%22this..., but I don't think this actually matters.

Sloppy programming, sure, but it isn't a real security issue.

[jannyfer]

Mind explaining how that text input field creates an XSS opportunity?

> XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Nobody other than you will see your alert("this is bad") so this doesn't seem like XSS.

[erickj]

that's until OP decides tonight that the tool is so pouplar that sticking a database behind it to serve anonymous examples MUST be a good idea, e.g.

[ben509]

Yes, in this particular case, it doesn't open a security hole.

But scrub all your inputs anyway. That one time you forget, it will be a cosmetic error due to double encoding instead of a security hole due to no encoding.

[typpo]

I don't really get this criticism. This is a client-only app. Scrubbing input on the client is a bad way to avoid XSS because an attacker can modify the client. So teaching developers to sanitize strings in their frontend JS is not helpful. Why do we care what she does on her single page side project?