Dear supporter,
We recently have been trying to retest our site security and something came up while testing for html injection into user input.
Tell us what you are trying to do?
We are trying to strip HTML tags from form inputs. In the toolset settings I see that you can select html tags you allow. Currently, we have no html tags allowed, however, they are still getting in when we submit a WYSIWYG field on a Toolset form (however, the title seems to filter out HTML tags correctly for non-admins) . Thankfully, due to the display filters we apply, they appear to just show up as regular text., but we would still like remove them before they get into the database. So my question is, is there something else we have to select to filter out html tags on submit?
Is there any documentation that you are following?
Is there a similar example that we can see?
Here is a post with the tags in the content (our development site):
hidden link
What is the link to your site?
hidden link
Toolset form version: 2.6.9
Wordpress Version: 5.7
Thank you!
Hello Don and thank you for contacting Toolset support.
I run a small test in a clean installation and the WYSIWYG fields get filtered correctly, and all the HTML tags are stripped. You can check my test site with this URL hidden link
Can you try to reproduce the same issue on it? That would help me see something if I have missed it.
My issue is resolved now. Thank you! Turns out on our site when we edited the form, the HTML tag encoding did not show up (it shows as the actual tags rather than encoded versions), but in our actual database itself it is encoded properly and not actually save HTML tags.
