Task Management System Exposed: XSS Sanitization Bypass in UpdateTask Function

A critical security oversight in a task management system allows attackers to bypass HTML sanitization and inject cross-site scripting (XSS) payloads. The vulnerability stems from an inconsistent implementation of security controls: while the `TaskService.createTask()` function properly sanitizes user input for task titles and descriptions, the `TaskService.updateTask()` function completely omits this crucial step. This creates a direct path for an attacker—who may lack permission to create new tasks but can edit existing ones—to inject malicious scripts that are stored and subsequently executed when other users view the compromised task.

The flaw is isolated in the `services/task-service.ts` file. Lines 158-166 show `createTask` correctly calling `sanitizeHtml()`. However, the `updateTask` function, spanning lines 204-267, contains no such sanitization for any fields. This inconsistency is not an isolated case. A broader review of the codebase reveals multiple other core services, including `plan-service.ts`, `kpi-service.ts`, and `project-service.ts`, also lack input sanitization for key text fields like titles, descriptions, and implementation plans, significantly widening the potential attack surface.

The impact is a classic stored XSS vulnerability, where malicious scripts persist in the database and are served to unsuspecting users. For organizations in regulated sectors, this poses a direct compliance risk, as XSS remains a persistent entry on the OWASP Top 10 list of critical web application security risks. The presence of sanitization in the comment API route (`app/api/tasks/[id]/comments/route.ts`) highlights that the security practice is known to the development team, making its absence in core update functions and other services a more glaring and systemic oversight.