Closed acobster closed 3 years ago
I would expect form fields with string values to be properly unescaped/stripped of slashes when calling $form->get().
$form->get()
For example, if $_POST looks like [ "username" => "Coby'" ], I'd expect $form->get('username') to be the string Coby'.
$_POST
[ "username" => "Coby'" ]
$form->get('username')
Coby'
Instead, it includes a slash, e.g. Coby\'. We should probably strip slashes by default for strings, but there may be unintended consequences of this.
Coby\'
For reference: https://sitecrafting.atlassian.net/browse/AWBPPE-185
Fix: https://bitbucket.org/sitecrafting/awb-rebound-and-recovery/commits/70a8ae94
acobster
commented
3 years ago acobster
commented
3 years ago
Expected behavior
I would expect form fields with string values to be properly unescaped/stripped of slashes when calling
$form->get().For example, if
$_POSTlooks like[ "username" => "Coby'" ], I'd expect$form->get('username')to be the stringCoby'.Actual behavior
Instead, it includes a slash, e.g.
Coby\'. We should probably strip slashes by default for strings, but there may be unintended consequences of this.