DEV: Sanitize HTML admin inputs (PR #14681)

This PR adds on-save HTML sanitization for:

  • Client site settings
  • Translation overrides
  • Badges descriptions
  • User fields descriptions

I used Rails’s SafeListSanitizer, which accepts the following HTML tags and attributes


This is a really beautiful PR. Great job.

On update, I don’t think we should sanitize the description if it is not going to change.

      if additional_attributes.present?

An empty array is considered truthy when used in a conditional.

Same comment as the above where we should avoid sanitizing if the description has not changed.

Are we able to add a test for the site settings changes here?

I don’t feel like we should be testing this as a request spec as the sanitization of the field before saving is a model concern.

I have the same comment here as per: DEV: Sanitize HTML admin inputs by romanrizzi · Pull Request #14681 · discourse/discourse · GitHub

Looks great!