Hi,
I would like to disallow <script> and <style> tags from being entered in any panel field.
Currently, when you have a panel field of e.g. type: textarea you can enter any content, including HTML tags, and they will be rendered in any template when using the kirbytext() function. Let’s assume we have a field called text.
text:
label: Text
type: textarea
A panel user can enter any arbitrary script or css style using e.g. <script> or <style> in the text panel field.
<script type="text/javascript"> alert("hello"); </script>
When rendered using $page->text()->kirbytext(), it will alert “hello” in the browser.
I was wondering whether it is possible to filter / disallow certain HTML tags from being used in panel fields, or whether this is something that I need to manually take care of. If the latter, I see two options:
- overwrite the
kirbytext()function used in the templates, and filter out the tags in this new function. - create a panel hook for panel.page.update and filter all the fields here.
The second approach would have the advantage, that the content would already be stripped in the panel. Without filtering it, the above script will be evaluated when using e.g. the Visual Markdown field. However I would need to filter the content of every single field manually in my hook. As soon as I add a new field to a blueprint, I would also need to change the hook.
What are your thoughts on filtering certain tags? Maybe I am also missing something.
I’d appreciate any help!
Thanks,
Frederik