FEATURE: Treat site settings as plain text and add a new HTML type. (PR #12618)

To add an extra layer of security, we sanitize settings before shipping them to the client. We don’t sanitize those that have the “html” type.

The CookedPostProcessor already uses Loofah for sanitization, so I chose to also use it for this. I added it to our gemfile since we installed it as a transitive dependency.


This looks quite nice and clean, thank you Roman.

My only concern is that some plugins might be using the previous, non-html settings for HTML. I am not aware of any of these but they will be broken now due to sanitization. They will have to be updated, but honestly that is much safer in the long run.

you will have to bump this, I just merged emoji_list which is using this 24 position, sorry :sweat_smile:

1 Like