XSS Protection in translate5

This morning I stumbled upon the keywords XSS and CSRF. Since my knowledge about these topics fade away in the last years, I was encouraged to refresh it and test it in Translate5.

Translate 5 is currently XSS vulnerable!

A simple test shows:

1. A Manager can provide HTML on editing user data.
2. On saving a segment HTML can be provided by faking the PUT request. By using the editor itself it is not possible.
3. As manager on creating a task. The task creation throws an error, but the task is saved with the HTML in the possible form fields.

Since in our application we fetch all data by ajax the possible internally stored script tags are not evaluated directly. But this can happen if one embeds the DB content directly somewhere as HTML (like in the notify mails)!
Another point would be to embed the js as handler in other tags.

Since the same content is used in generated E-Mails, the mails could contain malicious HTML too.

Solution: Remove all tags, since not allowed. Only in PutSegment we have to parse the content, since HTML is partially allowed here.

Possible Attacks:

1. Faked PUT segment request, you have to adopt the segment id in the URL and at the end of the payload to reuse the code in the first comment in JS console: