In the STBKAP project we use the A12 Rich Text Editor Widget for certain form fields.
In order to persist the content of these Widgets we export the Lexical editor state to HTML and save that HTML in our database.
From a security standpoint we need to sanitize this data in our application before processing it in client and server.
Is there a default solution for doing this in A12 or is every project responsible for doing this on their own when using Rich Text Editor Widgets?
I am not aware of any.
On frontend side text-cell of Form Engine and also Expression package is using sanitize from dompurify package.
In general:
Everyone is responsible for his specific data handling, regardless it’s image in quoted printable, XML, HTML, or any other inner format. In DS they are content agnostic, so whatever is modelled is applied, but specific customizations requires extra code, hooked to events for example.
Hello @rolf-smooth-qubit, I am a member of the Discourse team. I can see that there was a new response to your question on Persisting Rich Text Editor State. Do you find it helpful, or should the question remain open?
Thanks ahead for your feedback and have a nice rest of the day!