Are there attack vectors in Kirby’s pages system?

I know that “you should never trust user input” – this makes a lot of sense when outputting user generated content in HTML or when using user provided data in database calls. All of these cases require different mitigation approaches, different content, different character sequences are considered harmful. So you need to know what you are aiming for before sanitizing data. This is something Kirby also covers in its documentation.

While building a public API endpoint for a Kirby project, I asked myself what: Are there any attact vectors when interacting with Kirby’s pages system?

As a starting point, let’s say I read a page slug from the URL using get('page'). Consider the following scenarios:

1. Finding a page: $page = kirby()->page($page);
2. Filtering a pages collection: $page = $pages->filterBy('slug', $page);
3. Creating content: $page = $parent->createChild(['slug' => $page, 'content' => ['other' => 'user-provided', 'data' => 'to store']]);

What can go wrong, if I just pass in the raw value from the URL?

As far as I know Kirby prevents traversal for these methods as that would be the main concern.

The only thing that I realised in a past project was that kirby->page() also finds drafts by default (in contrast to the page() helper). So if someone would guess the slug of a draft page they’d, well, depends on the code that follows I guess?

Thanks for your input Thomas, that corresponds to my findings so far