spatie-bot
commented
3 weeks ago Dear contributor,
because this issue seems to be inactive for quite some time now, I've automatically closed it. If you feel this issue deserves some attention from my human colleagues feel free to reopen it.
Web Tinker does not sanitize generated output and is thus susceptible to HTML injection attacks. This is especially concerning when dealing with scripts that fetch information from remote locations that you potentially do not have control over. A simple example illustrating the problem:
Once inserted in the Web Tinker command prompt and sent to the server, the default output modifier will simply print the output on the page, and in turn is interpreted by the browser to print red text on the screen. I was able to render complete websites in Web Tinker like this, which is typically not wanted behavior from a PHP REPL.