tabacitu
commented
2 years ago I think we've been overthinking this. No matter how much we help in sanitizing / purifying / cleaning stuff inside the field, some sanitizing will STILL be needed when that information is stored in the database. That's when this is best done, because nobody can mess with that part.
So the best thing to do for this would be to instruct people to sanitize their inputs and outputs, and make that as easy as possible so they actually do it. We've added docs for this in https://github.com/Laravel-Backpack/docs/pull/267 and we might make it even easier in the future using custom casts (see https://github.com/mewebstudio/Purifier/issues/152), so consider this issue closed.
In these three editors, when you click the preview button, the output is not escaped at all. So if there's some JS there (eg:
afafa"><img src=x onerror=confirm(1)>) then that JS will be run.Not a problem for one-admin systems. Since you can do that from the Chrome Developer Tools anyway. Yes a problem for multi-admin systems. One admin can potentially run JS on anothers' machine. Or a malicious user even, if the input is in the db from a separate form (outside Backpack).
I say let's add notes to these fields, saying that the preview is unescaped, so they should maybe sanitize the input before they store it in the database, which is easiest done using a Laravel mutator for that attribute.