Laravel's 'old input' feature, used to repopulate forms after validation errors, can be exploited by manipulating input field names (e.g., changing `email` to `email[]`). This causes the old input to be stored as an array instead of a string, which can trigger a 500 error when Laravel tries to pass the array to `htmlspecialchars`. The takeaway is that old inputs are still user-controlled inputs and must be validated with zero trust before use.
Sort: