Skip to content

ENG-3664: Allow for HTML in manage consent page description in Privacy Center#8226

Merged
nreyes-dev merged 2 commits into
mainfrom
nreyes/eng-3664
May 18, 2026
Merged

ENG-3664: Allow for HTML in manage consent page description in Privacy Center#8226
nreyes-dev merged 2 commits into
mainfrom
nreyes/eng-3664

Conversation

@nreyes-dev
Copy link
Copy Markdown
Contributor

@nreyes-dev nreyes-dev commented May 18, 2026
edited
Loading

Ticket ENG-3664

Description Of Changes

HTML in the Privacy Center consent page heading and description rendered as escaped text even when ALLOW_HTML_DESCRIPTION was enabled. The setting was wired up for the landing page in #6643 but never applied to the consent page components.

This PR extracts the existing TextOrHtml helper from HomePage.tsx into a shared component and uses it in ConsentHeading and ConsentDescription (both notice-driven and config-driven branches), gated on the same setting and using the same allowlist sanitizer.

Code Changes

  • Extracted TextOrHtml from HomePage.tsx into a new shared components/TextOrHtml.tsx, with an optional component prop (defaults to Text) so callers can render different underlying typography.
  • Updated HomePage.tsx to import the shared component and drop the local definition.
  • Updated ConsentDescription.tsx to render the description and description_subtext through TextOrHtml in both notice-driven and config-driven branches, gated on ALLOW_HTML_DESCRIPTION.
  • Updated ConsentHeading.tsx to render through TextOrHtml with component={Heading}, gated on ALLOW_HTML_DESCRIPTION.
  • Added Cypress coverage in consent.cy.ts verifying HTML renders when the flag is on and escapes when off.

Before

image

After

image

Steps to Confirm

  1. Set FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=true and FIDES_PRIVACY_CENTER__IS_OVERLAY_ENABLED=true on the Privacy Center, then restart it.
  2. In the admin UI, edit a privacy_center experience's English translation and put HTML (e.g. <strong>bold</strong>, <em>italic</em>, <ul><li>item</li></ul>, <a href="...">link</a>) in both the title and description fields. Save.
  3. Visit /consent on the Privacy Center, forcing a matching location via ?geolocation=US-XX for one of the experience's locations. Confirm the heading and description render the HTML (bold, italic, list, link).
  4. Restart with FIDES_PRIVACY_CENTER__ALLOW_HTML_DESCRIPTION=false and reload /consent. Confirm the HTML now renders as literal escaped tags.
  5. Regression check: with the flag back on, put HTML in the PC config.json description and load / — confirm the landing page still renders HTML and escapes it when the flag is off.

Pre-Merge Checklist

  • Issue requirements met
  • All CI pipelines succeeded
  • CHANGELOG.md updated
    • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
    • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
    • Updates unreleased work already in Changelog, no new entry necessary
  • UX feedback:
    • All UX related changes have been reviewed by a designer
    • No UX review needed
  • Followup issues:
    • Followup issues created
    • No followup issues
  • Database migrations:
    • Ensure that your downrev is up to date with the latest revision on main
    • Ensure that your downgrade() migration is correct and works
      • If a downgrade migration is not possible for this change, please call this out in the PR description!
    • No migrations
  • Documentation:
    • Documentation complete, PR opened in fidesdocs
    • Documentation issue created in fidesdocs
    • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
    • No documentation updates required

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 18, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
fides-plus-nightly Ignored Ignored Preview May 18, 2026 9:30pm
fides-privacy-center Ignored Ignored May 18, 2026 9:30pm

Request Review

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026
edited
Loading

Title Lines Statements Branches Functions
admin-ui Coverage: 9%
 6.93% (3173/45757) 6.34% (1680/26483) 4.8% (650/13541)
fides-js Coverage: 78%
 79.17% (1977/2497) 66.25% (1249/1885) 73.31% (349/476)
privacy-center Coverage: 85%
 82.53% (364/441) 79.74% (189/237) 74.07% (60/81)

@nreyes-dev nreyes-dev marked this pull request as ready for review May 18, 2026 21:42
@nreyes-dev nreyes-dev requested a review from a team as a code owner May 18, 2026 21:42
@nreyes-dev nreyes-dev requested review from kruulik and removed request for a team May 18, 2026 21:42
kruulik
kruulik approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kruulik kruulik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I was curious if we use any 3rd party sanitization utilities but seems like this the only one we have (and it's only used here).

@nreyes-dev nreyes-dev added this pull request to the merge queue May 18, 2026
Merged via the queue into main with commit 9ed90e8 May 18, 2026
45 checks passed
@nreyes-dev nreyes-dev deleted the nreyes/eng-3664 branch May 18, 2026 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kruulik kruulik kruulik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nreyes-dev @kruulik