theme-tools icon indicating copy to clipboard operation
theme-tools copied to clipboard
verified publisher icon Shopify

Feature: Recommend escaping strings that can contain user-typed HTML

Open willbroderick opened this issue 3 years ago • 0 comments

I would love to see Theme Check recommend escaping all user-entered plain text (with | escape) I see a lot of developers not escaping strings in Liquid {{ ... }} output.

The information that would tell us which Liquid object properties need escaping is not available in any form. So this may be a large task.

I can see this needing:

  1. A maintained list of Liquid object properties that need escaping. I don't know if Shopify could take this on.
  2. A method of identifying when these properties are being output onto the page (taking into account assignment, loops, etc).

There are many examples of this issue in the current version of Dawn.

If you enter a Discount with the name This <is> a discount, any page on which the discount shows will contain the HTML tag <is> when output: https://github.com/Shopify/dawn/blob/627bb72c748cb02e905d5972e41c7e4a0cccd620/sections/main-order.liquid#L237 I don't believe this is desired.

An HTML attribute example: https://github.com/Shopify/dawn/blob/acff8d7c6be60f7d2ec220ca1a21be2c619ff633/snippets/facets.liquid#L116

Enter a double-quote into a value that displays in a facet filter (like a distance - 6"), and the HTML becomes broken.

This occurs in a large number of places in Dawn and other themes. Theme Check would be a great tool for enforcing good practices here.

willbroderick avatar Nov 01 '22 11:11 willbroderick