I'm using Phalcon\Forms\Element\Textarea in my form, but it seems not be escaped.
So , if I input below in my textarea, XSS will be happned, I think.
test</textarea><script>alert(document.cookie)</script>update:
I treated this problem temporarily as below;
class myForm extends FormBase
{
public function initialize($entity = null, $options = null)
{
$textarea = new Textarea('opinion');
$this->add($textarea);
}
public function getOpinion()
{
return $this->escaper->escapeHtml($this->request->get('opinion'));
}
}
I agree that such components need to offer basic filtering out of the box. But it does not, so for example I need to do apply sanitize on every route
function getContent($num = null){
$num = (int) $this->filter->sanitize($num, ['myCustomFilter', 'alphanum', 'int']);
}