Filter HTML tags (e.g. <script> and <style>) from being used in panel fields

Hi,

I would like to disallow <script> and <style> tags from being entered in any panel field.

Currently, when you have a panel field of e.g. type: textarea you can enter any content, including HTML tags, and they will be rendered in any template when using the kirbytext() function. Let’s assume we have a field called text.

text:
    label: Text
    type: textarea

A panel user can enter any arbitrary script or css style using e.g. <script> or <style> in the text panel field.

<script type="text/javascript"> alert("hello"); </script>

When rendered using $page->text()->kirbytext(), it will alert “hello” in the browser.

I was wondering whether it is possible to filter / disallow certain HTML tags from being used in panel fields, or whether this is something that I need to manually take care of. If the latter, I see two options:

  1. overwrite the kirbytext() function used in the templates, and filter out the tags in this new function.
  2. create a panel hook for panel.page.update and filter all the fields here.

The second approach would have the advantage, that the content would already be stripped in the panel. Without filtering it, the above script will be evaluated when using e.g. the Visual Markdown field. However I would need to filter the content of every single field manually in my hook. As soon as I add a new field to a blueprint, I would also need to change the hook.

What are your thoughts on filtering certain tags? Maybe I am also missing something.
I’d appreciate any help!
Thanks,
Frederik

An alternative to the options outlined above would be to use a Kirbytext pre filter: https://getkirby.com/docs/advanced/kirbytext#kirbytext-filters

Thank you @texnixe! Better approach than my first one!

For my second idea: Does anyone have any recommendation on how to best filter all field content in the page.update hook, without knowing all the field names in advance? My idea would be to iterate over the fields in $page->content(), remove any <script> tags and then use the $page->update() function. Any better suggestion?

Cheers,
Frederik