If the form is valid it updates the page. Again, when the data saved and viewed on the frontend form it displays it correctly. It’s only in the panel that it seems to escape the already escaped quote. When viewing source in the panel I see…
View Panel Source
<textarea class="input" name="q_professional_details" autocomplete="on" id="form-field-q_professional_details" data-field="editor">
Don&#039;t think i won&#039;t test you.
Don't you think i won't test you.
</textarea>
I’m likely doing something wrong, just not sure what. Any ideas?
Yes, the cookbook example uses the esc() helper in a wrong way. This should be updated I guess.
You should only allow the user to input data of an expected type. If it’s not the proper type, discard it. For example, if you are expecting an email address, check if the entered data is actually an email address. You can check for maximum lengths, minimum lengths, numbers, whitelisted values etc. etc.
Using the esc() helper on the frontend where you output the data should help keep you save from XSS and malformed HTML.
filter_input() does - in the way it is used in the article - essentially the same thing as the esc() helper.
When you’re storing data from user input, you should be looking at things like filter_var() instead.
Don’t passs through filtered data with a <script> tag in it, disallow it!
$email = '<script>sendAllYourBitcoinsToMe()</script>';
$valid = filter_var($email, FILTER_VALIDATE_EMAIL);
if (!$valid) {
echo 'Are you a hacker?';
} else {
// publish page
}
Of course you can also use the toolkit for this one.
Also, in my opinion, every Kirby user who is not 100% familiar with creating secure and robust forms should look at Kirby Uniform from @mzur. It may be a bit too technical for some, but you can learn a lot about how to create a secure form just by looking at the example forms and how it makes use of the validators.
