Purify HTML multiline text

It appears to be possible to save multiline HTML fields with content that could be used for XSS attacks when rendered on the frontend.

For example with a text field configured with the HTML editor the following content can be added and is successfully saved to the CMS.

<div onclick="alert('hello')"></div>

Would it be possible to add an option to purify the HTML input before saving it?

Further information about XSS attacks


1 Like

Can’t you purify it on render instead (using DOMPurify or another lib to process the field before sending it to dangerouslySetInnerHTML)?

Sometimes we need to inject scripts into HTML fields (third-party embeds and such) and I would hate to have Dato scrub it without asking. If it’s an option that can be set on a per-field basis, that’s fine I suppose. But then you’d still have to figure out what tags/props to allow and eventually you’d just recreate the entire complexity of DOMPurify configuration anyhow. Might this be a job better handled on the frontend than the database?


I agree with @roger, 100%