Timo-Breumelhof
commented
3 years ago FYI, I now fixed it like this in the template:
{{#contains "<" Message}}
{{else}}
<div class="comment">
<h4 class="comment-title">{{Name}}</h4>
<div class="text">
{{convertHtmlToText (replacenewline Message "<br>")}}
</div>
</div>
{{/contains}}Please note that due to issue #165 the contains statement will most likely be different in the future
e.g. {{#contains Message "<"}}
When using the text / textarea field in (inline) forms it would be good if one could set what to do with entered HTML before it's stored. IMO the most important option would be to strip HTML but maybe Encode could be an option too?
Option: Server side, Replace script tags for all non SuperUsers see: https://www.dnnsoftware.com/wiki/input-filtering