In older versions, we always stripped html-like substrings in certain elements to help users avoid inadvertently creating XSS vulnerabilities by reflecting the value of these elements without properly escaping them. We decided that wasn't particularly helpful because the simple sanitation we were performing didn't address all cases. It also did a poor job of sanitizing.
This removes that html stripping by default and adds the option strip_html to restore the old behavior.
In older versions, we always stripped html-like substrings in certain elements to help users avoid inadvertently creating XSS vulnerabilities by reflecting the value of these elements without properly escaping them. We decided that wasn't particularly helpful because the simple sanitation we were performing didn't address all cases. It also did a poor job of sanitizing.
This removes that html stripping by default and adds the option
strip_html
to restore the old behavior.Resolves #165, #243