Hi again! Does the CDA sanitize HTML content before returning it to the client? Or we should run it through something like DOMPurify to be extra safe? Thank you!
Hello @maxime.preaux,
HTML sanitization is an option you can choose to enable (or not) in multi-line text fields: Multiple-paragraph text field now supports HTML sanitization
If you do enable that, HTML will be sanitized according to the “relaxed” config of this lib (or see the source here).
Sanitization happens when you save (on write), not when you request it from the APIs (on read).
If that isn’t enough, or you want to use your own sanitization rules, then yes, you can do it on the frontend, or with a Dato plugin like Sanitize HTML - Plugins — DatoCMS (you can also fork that and modify it).
However, what is your use case here? Generally speaking, inserting raw HTML into your project should be a last resort, because it’s a more complex and error-prone markup language and can cause issues with frontend parsing if not done carefully. We would normally recommend Markdown for simpler rich text use cases, or our own Structured Text format, which is both powerful and semantically clean (no stray style tags, etc.): Structured text fields — DatoCMS
If you want to share some details about what you’re trying to put into the CMS, I’d be happy to think through it more with you?
1 Like
Thank you for pointing out that setting, I’d somehow missed it.
I’m currently migrating from another CMS and some of the content was in raw HTML, so it was easy to upload it as-is to a “Multiple-paragraph Text” field that accepts HTML.
Going forward, I will probably migrate those fields to Structured Text instead as that seems better and safer.
Thank you for the pointers!
1 Like