Inserted todos do not get escaped

[Kasalehlia]

When entering new todos the HTML special characters (<,>,&) are not escaped, leading to two problems:

• Tag injection: It is possible to inject arbitrary HTML tags, including <script>
• incomplete tags, unclosed tags and incomplete ampersand escapes break the state change

A possible fix would be to properly escape the content of the todos before displaying them in the Board etc.

[rockiger]

Thanks for sharing. This will be fixed with the next version, due to the use of react.