Ad

What Is The Safest Way To Set An Input Value With Liquid?

- 1 answer

here is what I'm doing:

<input value="{{ value | strip_html | escape }}">

looking at examples it seems like escape might be enough

https://github.com/Shopify/liquid/search?p=1&q=escape&unscoped_q=escape

but it doesn't escape <, >, and " for instance.

(obviously no escape leads to an XSS)

I'm using the latest liquidjs

Ad

Answer

I will update this answer if things change but seems like | escape is enough and there isn't a way to get out of a double-quoted attribute ("") without a double quote, I just need to make sure I'm using double quotes. so this should be enough:

<input value="{{ value | escape }}">

to be clear <input value="{{ value }}"> exposes you to an XSS vulnerability.

you can see the differences for yourself: https://jsfiddle.net/h80radfu/

Ad
source: stackoverflow.com
Ad