It appears to be possible to save multiline HTML fields with content that could be used for XSS attacks when rendered on the frontend.
For example with a text field configured with the HTML editor the following content can be added and is successfully saved to the CMS.
<div onclick="alert('hello')"></div>
Would it be possible to add an option to purify the HTML input before saving it?
Canโt you purify it on render instead (using DOMPurify or another lib to process the field before sending it to dangerouslySetInnerHTML)?
Sometimes we need to inject scripts into HTML fields (third-party embeds and such) and I would hate to have Dato scrub it without asking. If itโs an option that can be set on a per-field basis, thatโs fine I suppose. But then youโd still have to figure out what tags/props to allow and eventually youโd just recreate the entire complexity of DOMPurify configuration anyhow. Might this be a job better handled on the frontend than the database?
I agree with @roger, 100%