Don't XSS-strip out the good stuff from editable HTML content (!163) · Merge requests · Custom D / Zon Core · GitLab

Robert Sinton requested to merge patch/no_stripping_for_editable into master Feb 04, 2019

When receiving POSTED editable content slugs, extract them without applying XSS-stripping, as we will often be receiving HTML content.

What I did

Turned off XSS-stripping when extracting slugs from the POSTed input.

Implications

Potentially allows JS scripts etc. to be posted and end up on a page.

Setup

None.

How to test

Code review
On any editable content block, try setting H2 or similar, and centred alignment or similar. Save and reload to check they have ended up as intended; prior to this change the content would end up starting as just .