The event calendar does not seem to mitigate XSS vulnerabilities for injection attacks in the event’s title. How can we secure our app for this? When I sanatize the title manually, mobiscroll does not render the character code to their corresponding character, resulting in this mess:
In this case, you have to make sure to sanitize the title from your side before pass it to the calendar. What would you like the outcome to be in this case?
Beside that, we will remove HTML support from event title in the next major version of Mobiscroll. Currently this is because before adding support for event templating the only way to display rich content inside events was possible through html strings inside the event title.