Escaping KirbyText with KirbyTag

Given a field text with a textarea and the following content:

foo & bar

(link: text: foo & bar)

In my template/snippet I am using the following line:

<?= $page->text()->escape()->kirbytext() ?>

The output is the following:

<p>foo &amp; bar</p>
<p><a href="">foo &amp;amp; bar</a></p>

It sems like the KirbyTag was escaped two times, while the content was escaped just fine. What would be the right approach to escape a field with KirbyText content without escaping parts of it twice?

Because the link text is html encoded in the Html class with this method:

    public static function encode(string $string = null, bool $keepTags = false): string
        if ($keepTags === true) {
            $list = static::entities();
            unset($list['"'], $list['<'], $list['>'], $list['&']);

            $search = array_keys($list);
            $values = array_values($list);

            return str_replace($search, $values, $string);

        return htmlentities($string, ENT_COMPAT, 'utf-8');

So how would escaping a Kirbytext work? Especially for preventing XSS and the like.

I wouldn’t because my use cases don’t require it, but maybe this is a bug. Could you file an issue on GitHub, please?

According to your previous answer here: Kirbytext and XSS this should be the right way to escape KirbyText.

But I’ve added an issue here:


This issue was closed, see issue report for solution with a custom method.