Double Escaping in the Panel

Hey folks, I need some clarification on an issue where apostrophes are displayed within the panel like this…

Panel View

When rendered back to the frontend form the first example works just fine and renders correctly. It’s only in the panel that it seems have the issue.

In the code, I followed the cookbook example to escape the input. Here is what that looks like…

Escaping form input

If the form is valid it updates the page. Again, when the data saved and viewed on the frontend form it displays it correctly. It’s only in the panel that it seems to escape the already escaped quote. When viewing source in the panel I see…

View Panel Source

<textarea class="input" name="q_professional_details" autocomplete="on" id="form-field-q_professional_details" data-field="editor">
Don&amp;#039;t think i won&amp;#039;t test you.

Don't you think i won't test you.

I’m likely doing something wrong, just not sure what. Any ideas? :slight_smile:

Actually, esc()shouldn’t really be used for user input like that.

@ezraverheijen wrote about this here recently.

@texnixe Ah, ok. So a couple follow-up questions:

  1. So would that mean the cookbook example is wrong?
  2. What’s the proper way to escape form input before updating a page?
  1. Yes, the cookbook example uses the esc() helper in a wrong way. This should be updated I guess.
  2. You should only allow the user to input data of an expected type. If it’s not the proper type, discard it. For example, if you are expecting an email address, check if the entered data is actually an email address. You can check for maximum lengths, minimum lengths, numbers, whitelisted values etc. etc.

Using the esc() helper on the frontend where you output the data should help keep you save from XSS and malformed HTML.

filter_input() does - in the way it is used in the article - essentially the same thing as the esc() helper.

When you’re storing data from user input, you should be looking at things like filter_var() instead.
Don’t passs through filtered data with a <script> tag in it, disallow it!

$email = '<script>sendAllYourBitcoinsToMe()</script>';
$valid = filter_var($email, FILTER_VALIDATE_EMAIL);
if (!$valid) {
  echo 'Are you a hacker?';
} else {
  // publish page 

Of course you can also use the toolkit for this one.

$valid = v::email($email);

Also, in my opinion, every Kirby user who is not 100% familiar with creating secure and robust forms should look at Kirby Uniform from @mzur. It may be a bit too technical for some, but you can learn a lot about how to create a secure form just by looking at the example forms and how it makes use of the validators.

Thanks, I appreciate the help on this. :slight_smile: