What Is The Safest Way To Set An Input Value With Liquid?

- 1 answer

here is what I'm doing:

<input value="{{ value | strip_html | escape }}">

looking at examples it seems like escape might be enough

but it doesn't escape <, >, and " for instance.

(obviously no escape leads to an XSS)

I'm using the latest liquidjs



I will update this answer if things change but seems like | escape is enough and there isn't a way to get out of a double-quoted attribute ("") without a double quote, I just need to make sure I'm using double quotes. so this should be enough:

<input value="{{ value | escape }}">

to be clear <input value="{{ value }}"> exposes you to an XSS vulnerability.

you can see the differences for yourself: