Skip to content

Don't XSS-strip out the good stuff from editable HTML content

Robert Sinton requested to merge patch/no_stripping_for_editable into master

When receiving POSTED editable content slugs, extract them without applying XSS-stripping, as we will often be receiving HTML content.

What I did

  • Turned off XSS-stripping when extracting slugs from the POSTed input.

Implications

  • Potentially allows JS scripts etc. to be posted and end up on a page.

Setup

None.

How to test

  • Code review
  • On any editable content block, try setting H2 or similar, and centred alignment or similar. Save and reload to check they have ended up as intended; prior to this change the content would end up starting as just .

Merge request reports