Sanitise HTML in long description of enterprise [read-only]

[mkllnk]

ℹ️ Please use project Discover Regenerative (Macdoch pt 2): 3. Open Source Tech Evolution to track work on this issue.

What? Why?

• Part of Sanitise HTML in enterprise and product descriptions #12448
• Prequel of Sanitise HTML in long description of enterprise #12459

We weren't sanitising the HTML of long enterprise descriptions at all. So here's a remedy that sanitises the field before it's reaching the database. All consumers, including API users should now get sanitised HTML.

There are more attributes like this listed in the issue. But I wanted to get this through faster and get a review first before I apply the same approach to the other three fields.

What should we test?

• Visit Admin, Enterprise settings, About and edit the long description with the editor.
• Everything you do with the editor should save and show in the frontend.
• I don't know an easy way to simulate the attacker scenario. But I think that my approach with those unit tests is pretty safe.

Release notes

Changelog Category (reviewers may add a label for the release notes):

• User facing changes
• API changes (V0, V1, DFC or Webhook)
• Technical changes only
• Feature toggled

The title of the pull request will be included in the release notes.

Dependencies

Documentation updates

[dacook]

Great!

[rioug]

Nice one !

[filipefurtad0]

Hey @mkllnk ,
I can confirm this works as before:

(I'm also not sure how to simulate such attacks - that's would be a very useful skill, in testing.)

Merging!

[dacook]

Unless there's a vulnerability in the text editor, I think the only way is to manually submit a value with a tool like Postman. You could use some of the html examples in the specs provided by this PR.
But of course, those specs pass so we can be pretty confident already. At least that's why I didn't suggest further testing :)