It can be tested with Grav v1.3.7 and Firefox v57, I’m on Mac. This doesn’t seems to happen in Chrome has Chrome stops the load of the page: "Chrome detected unusual code on this page and blocked it to protect your personal information (for example, passwords, phone numbers, and credit cards). ERR_BLOCKED_BY_XSS_AUDITOR"
Solution:
I found that using a Twig escape filter solves the issue but that’s not convenient.
Is it something Grav knows about and should be fixed on the uri.query API root or do I have to find my own solution for that?
You can find here a zip with the archive to reproduce the problem: https://we.tl/OICYYGRDSJ
I simply created a new page folder called foobar and created a template file called foobar.html.twig where I added the following code:
OK, now I follow you. So this is not actually an XSS issue in Grav itself, it’s more of a developer awareness that you need to be aware of when creating custom Twig.
Some points:
Grav is not forcing escaping on the frontend. This is primarily because when we started Grav, we figured that Twig templates were something that a developer would put together, and in this case (just like in PHP logic), the developer would be aware and smart enough to filter things that need escaping.
After the initial release of Grav, we actually thought it would be a good safety feature to force escaping in Twig, however, there never was a good point to do this because it would definitely break sites. We have identified Grav 2.0 as a good point to switch over to automatic escaping, however, this is not a simple toggle as it would break things in places and needs extensive testing.
You can actually enable this yourself if you wish, but you are going to have to update any Twig that outputs stuff incorrectly. You will probably have to use |raw filter in places where you are expecting special chars but don’t get it. In system.yaml set:
