Conversation messages rely on the output-side rendering to escape any malicious HTML. This adds a sanitize_field call to the body property to clean up the saved data and ensure that API-provided messages are safe as well.
Test plan
Open browser developer tools network panel
Send a conversation message to someone and verify it's received
In Chrome, copy the request out as a cURL command. Edit the message in the JSON to include some HTML with an onClick event.
Conversation messages rely on the output-side rendering to escape any malicious HTML. This adds a sanitize_field call to the body property to clean up the saved data and ensure that API-provided messages are safe as well.
Test plan