Sanitise HTML in enterprise and product descriptions #12448
Assignees
Comments
This was referenced May 10, 2024
|
@mkllnk please add clockify code to issue and associated pull requests |
This was referenced May 22, 2024
|
@kirstenalarsen I can't see the clockfy code in this issue : Discover Regenerative (Macdoch pt 2): 3. Open Source Tech Evolution |
|
Good pick up @rioug . I updated the project codes to give more specificity. Have just adjusted above - could you please switch your hours to #3A |
|
Done ! I also updated the description on the related PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ℹ️ Please use project Discover Regenerative (Macdoch pt 2): #3A. Tech - OFN & OFN/DFC Endpoints to track work on this issue.
Description
When using a description on another website like the Discover Regenerative portal, any contained HTML tags should be safe.
Currently, the OFN UX allows only certain HTML tags to be inserted into a description. We do not check the content before storing it in the database. Instead, we sanitise the descriptions when displaying them withing the OFN app. Our APIs are not sanitising though, pushing the responsibility to all consumers of the APIs.
The knowledge of allowed HTML tags sits within OFN though and we could sanitise the HTML before storing it in the database. That would make further sanitising in the many other parts of the app redundant. It would also avoid consumers of APIs accidentally embedding unsafe HTML. It would be less work for everyone.
Acceptance Criteria & Tests
<script>, are filtered out before they are exposed on the DFC API.Related issues:
The text was updated successfully, but these errors were encountered: