Open dave-smyth opened 4 years ago
You can/should sanitize fields containing data from untrusted users.
{{ title | sanitize }}
Thanks for the quick response, Jason!
The effects described above were on fields that already contain the sanitize
modifier: if a user includes <script>
or the example above, the input seems to execute.
Describe the bug If a user enters something unsavoury, like
<script>
, or even:It seems to break things. That specific example, on a
{{ title }}
text input field redirected me to/!/Workshop/entryUpdate
with a 403 error.Using
strip_tags
isn’t beneficial as this is happening on an input rather than output.Expected behavior Expect input to be stripped of HTML tags.
Environment details: