Drupal - How to properly filter a form's data against XSS?

There's a huge issue with your implementation: it's destructive. Let's say a user writes about HTML, uses common comparison symbols or just uses the evil emoticon for despair: <o>. Changing data will make it harder for the user to later edit his post, it might even remove parts of it. Let's respect the user effort of typing into a textarea and hitting 'Save'.

So, what to do about XSS? Well, XSS is not dangerous in your database, it is only dangerous when displayed in a browser. So relax about saving it and worry about displaying it. Default formatters for text fields will use the text format settings to apply filters. Make sure the text formats available for your user are safe. And if you're writing your own formatter, don't forget to filter the output (preferrably by respecting the text format settings).

See https://drupal.org/node/28984 and https://drupal.org/documentation/modules/filter for more on this topic.

Tags:

Forms

7

Related

Drupal - Validate all instances of a field programmatically Drupal - How to get list of cron tasks? Drupal - How do I alter the route defined by another module? Drupal - Referenced Entity as an Exposed Filter Drupal - Why is it sometimes $node->field_name[0], and sometimes $node->field_name['und'][0]? Drupal - Can we get full count of results from a query that is extended by PagerDefault Drupal - How to create a node with submissions of a webform? Drupal - Generically detecting changed fields in a custom form prior to saving a node Drupal - How do I write an additional field formatter for an existing field Drupal - Proper way to get the base path when including an image from a module? Drupal - How to get the node ID in jQuery/JavaScript Drupal - Why does the favicon sometimes not show up and generate "page not found" errors, and other times does show up

Recent Posts