Multi-line input XSS Attack Window?

I know that bubble’s regular input element is protected from XSS attack window, but what about multiline input? I dont see anything to choose the type of content like that of the regular input element? @emmanuel @josh?

1 Like

any update to this?

Looks like the RTI does not appear to have XSS protection, for example:

[b]test[/b]'">test.com<'<<"[img]x[/img][b]test[/b]'">test.com<'<<"<img src=x onerror=alert()>

test’“>test.com<‘<<"test’”>test.com<'<<"

Interesting - it’s protected on the forum, but not in my app, when I put the same into a rich text input provided by bubble

This is BB code, and the expected behaviour. Users provide an input, and that’s saved as plain text. When text is displayed, by default, BBCode formatting is enabled. You can disable this on the text element settings.

1 Like

You, sir, are a godsend. Thank you for your response.

The issue with this is that if I disable BBCode, I can no longer use rich text formatting in Text display, so it stops the XSS but removes the functionality I want - Does anyone know the best way to sanitise input (on the backend) so that it cannot contain XSS?