Automattic / crowdsignal-forms

Gutenberg blocks for Crowdsignal

GNU General Public License v2.0

13 stars 9 forks source link

Remove RawHTML use from the blocks #255

Closed ice9js closed 1 year ago

ice9js commented 1 year ago

Followup on #252.

This patch removes remaining instances of <RawHTML> from the plugin blocks and replaces it with decodeEntities().

Testing

This patch affects the feedback and NPS blocks. They should still work as expected and you shouldn't be able to embed XSS payloads inside either of their fields.

CGastrell commented 1 year ago

Beware of the header edit with decodeEntities, I think we allow line breaks there

CGastrell commented 1 year ago

Beware of the header edit with decodeEntities, I think we allow line breaks there

@ice9js