Safety HTML editor as input field

We are using the multiple-paragraph text with the HTML field editor. I’m concerned that users can import scripts or other malicious JS into the field. Is there way to prevent this?

Hi @luna.olbrechts,

We just answered you on Slack, by the way :slight_smile: Sorry it took us a few hours!

But to copy the answer here:

In the validation settings, there is a “Prevent the use of dangerous HTML attributes” setting: Multiple-paragraph text field now supports HTML sanitization

Does that help? It should be enough to prevent innocent copy & pastes from trusted editors. I’d still double-sanitize it on the frontend too, just to be safe.

On the other hand, if your HTML field is also accepting inputs from the general public (i.e. you expose it via API call), I’d also be VERY VERY careful about what tags to accept in that form to begin with, both on the frontend and the backend API receiver. It should be sanitized and validated at every level… when it’s first typed, when it’s sent to the API, and then again when it’s pulled out of Dato into your frontend.

If you need more clarification, please feel free to ask (here or on Slack, up to you!)

1 Like