Execute some html in description field

[mjgiarlo]

Issue by hackmastera Tuesday Aug 16, 2016 at 14:02 GMT Originally opened as https://github.com/projecthydra/sufia/issues/2473

---

Descriptive summary

Sufia 6 allowed too much but Sufia 7 allows nothing. My users want at least italics so they can, e.g., reference book titles.

[mjgiarlo]

Comment by hackmastera Tuesday Aug 16, 2016 at 14:08 GMT

---

Paragraphs are being used here as well.

[mjgiarlo]

Comment by mjgiarlo Tuesday Dec 20, 2016 at 23:30 GMT

---

I believe this is now available, from https://github.com/projecthydra/sufia/commit/11521027aa85843f26dd880f397143797be0d28f

[mjgiarlo]

Comment by hackmastera Wednesday Dec 21, 2016 at 18:14 GMT

---

Hm, that allows links but I need maybe <cite> and <br>. It might be nice to have a configurable whitelist?

[mjgiarlo]

Comment by mjgiarlo Wednesday Dec 21, 2016 at 19:27 GMT

---

@hackmastera oh, shoot, I misread this. Sorry to have closed it prematurely.

I'll move this issue to Hyrax. What would a starting default whitelist look like? a, cite, and br? Toss a list at me and I'll make sure it's carried over.

[mjgiarlo]

Comment by hackmastera Wednesday Dec 21, 2016 at 19:31 GMT

---

@mjgiarlo Also p. I think that's all we have. Thanks!!

[mjgiarlo]

Comment by mjgiarlo Wednesday Dec 21, 2016 at 19:36 GMT

---

Description metadata field should render limited HTML. Whitelist of tags:

• <a>
• <cite>
• <br>
• <p>
• <em>

Thanks, @hackmastera

[mjgiarlo]

Comment by jcoyne Wednesday Dec 21, 2016 at 20:20 GMT

---

Are there any HTML attributes we want to whitelist? We wouldn't want to allow onclick="stealMyCookies()", but we might want href="http://example.com/"

[mjgiarlo]

Comment by mjgiarlo Wednesday Dec 21, 2016 at 22:20 GMT

---

Be great if there were some library out there that could do this for us.

[no-reply]

See, e.g.: https://github.com/curationexperts/laevigata/blob/27ad4e0faddde4b3f4a27f629db5063d26e6f920/lib/input_sanitizer.rb