Question posted in 
here is what I’m doing:
<input value="{{ value | strip_html | escape }}">
looking at examples it seems like escape might be enough
https://github.com/Shopify/liquid/search?p=1&q=escape&unscoped_q=escape
but it doesn’t escape <, >, and " for instance.
(obviously no escape leads to an XSS)
I’m using the latest liquidjs
3
Answers
I will update this answer if things change but seems like
| escapeis enough and there isn't a way to get out of a double-quoted attribute ("") without a double quote, I just need to make sure I'm using double quotes. so this should be enough:to be clear
<input value="{{ value }}">exposes you to an XSS vulnerability.you can see the differences for yourself: https://jsfiddle.net/h80radfu/
Other escaping filters that may suit your needs are:
handle(orhandleize): Formats a string into a handle.url_encode: Converts any URL-unsafe characters in a string into percent-encoded characters.url_escape: Identifies all characters in a string that are not allowed in URLS, and replaces the characters with their escaped variants.url_param_escape: Replaces all characters in a string that are not allowed in URLs with their escaped variants, including the ampersand (&).json: Converts a string into JSON format. (Note: simple variables, such as strings, become escaped strings wrapped in double-quotes)Give these a spin and see if any of them meet your requirements.
Sources:
https://help.shopify.com/en/themes/liquid/filters/string-filters
https://help.shopify.com/en/themes/liquid/filters/additional-filters
Shopify will escape most values by default. However, many Liquid libraries (like the Ruby Gem) do not and will require explicit use of the
| escapefilter.So in Shopify, this will be enough
For every other Liquid implementation do
You do not need the
strip_htmlas that will mangle your user input should a user need to put HTML characters in their text.