Text input doesn't make string HTML safe (can inject code to run on user's browser)

[lemniscate8]

The Bug
Text inputs do not make value HTML safe when using .Value. Since there are places where URL parameters are used to populate an input field via .Value (see ConfigPanel.hpp) this is an entry point for arbitrary code execution in the user's browser.

To Reproduce
Here's some code:

#include "emp/web/web.hpp"
#include "emp/web/Input.hpp"

emp::web::Document doc("emp_base");


int main() {
  emp::web::Input in([]() { ; }, "text", "Label");
  in.Value("hi there\"/> <script> alert(\"hi there\"); </script> <input style='display: none'");
  doc << in;
}

Expected behavior
All the text set via Value should appear in the input. However, text after the quote character does not exist though programmatically accessing the value will give the full string.

Toolchain

• OS: Mac
• Compiler: Emscripten 1.38.48
• Browser: Chrome
• Empirical version: master

Possible Fix
We probably need to replace " with " and in general make the string HTML safe.

[mercere99]

I wonder if emp::to_literal() from string_utils.hpp needs to be run on the string to deal with special characters?