We're updating the issue view to help you get more done. 

Summary field does not sanitise CSS classes

Description

Steps to reproduce the problem

  1. Create or edit a work

  2. In the summary, type in some raw HTML specifying a class, e.g.: <p class="3foo">text</p>

  3. Save the work, then either view the page source or edit it again to see the HTML in the summary field.

  4. Notice that it still contains <p class="3foo">text</p> even though that isn't a valid CSS class

Expected behaviour
CSS classes starting with a digit, a hyphen, or containing non alphanumeric characters should be stripped out.

Possible solution
This should be as simple as adding :summary to the FIELDS_ALLOWING_CSS list in config.yml and then removing the corresponding skip in the html_cleaner_spec test.

Environment

Status

Assignee

Sarken

Reporter

Ariana

Roadmap

Works

Priority

Medium

Affects versions

0.9.207

Fix versions

Components

Parser

Difficulty

Easy

Milestone

Internal 0.9