Sanitizing user input is important to prevent potential security vulnerabilities such as cross-site scripting (XSS) attacks. In Shopware 6 there's a filter sw_sanitize for that. In the templates they mostly use it for translated snippets like detail.productNumberLabel. When digging in the templates one can see that for a lot of entity properties, sanitizing is skipped, for example with page.product.translated.name. What's the thinking about this? IMO these values should also be sanitized but maybe I am missing something?
When do we need to use `sw_sanitize`?
297 views Asked by Quisse At
2
There are 2 answers
0
On
One should only use sw_sanitize when basic html tags are allowed to be displayed, like <b>,<i>,...
By default, autoescaping is on in TWIG so all values are escaped. This is stated in the docs https://twig.symfony.com/doc/3.x/templates.html#html-escaping
When generating HTML from templates, there's always a risk that a variable will include characters that affect the resulting HTML. There are two approaches: manually escaping each variable or automatically escaping everything by default.
Twig supports both, automatic escaping is enabled by default.
The product name is of type
StringField, as you can see in the ProductTranslationDefinition. Those fields are sanitized automatically within the StringFieldSerializer, which is calling thesanitizemethod of the AbstractFieldSerializer.The "productNumberLabel" on the other side is a snippet which could be overwritten by the merchant. So it needs to be made sure, that it is sanitized correctly, while it is displayed.