Inputs not stripped

[dave-smyth]

Describe the bug If a user enters something unsavoury, like <script>, or even:

<script>
alert("Breaking your site");
</script>

It seems to break things. That specific example, on a {{ title }} text input field redirected me to /!/Workshop/entryUpdate with a 403 error.

Using strip_tags isn’t beneficial as this is happening on an input rather than output.

Expected behavior Expect input to be stripped of HTML tags.

Environment details:

• Workshop Version: 1.1.3
• Statamic Version: 2.11.20
• Fresh Install or Upgrade: No
• OS: macOS 10.15.4
• Browser: Any
• Web Server: Apache
• PHP Version: 7.2

[jasonvarga]

You can/should sanitize fields containing data from untrusted users.

{{ title | sanitize }}

[dave-smyth]

Thanks for the quick response, Jason!

The effects described above were on fields that already contain the sanitize modifier: if a user includes <script> or the example above, the input seems to execute.