Add security notes to rich/markdown editors

filamentphp · Oct 16, 2024 · 2b6a3bb · 2b6a3bb
1 parent 8c73cd8
commit 2b6a3bb
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/packages/forms/docs/03-fields/10-rich-editor.md b/packages/forms/docs/03-fields/10-rich-editor.md
@@ -15,6 +15,16 @@ RichEditor::make('content')
 
 <AutoScreenshot name="forms/fields/rich-editor/simple" alt="Rich editor" version="3.x" />
 
+## Security
+
+By default, the editor outputs raw HTML, and sends it to the backend. Attackers are able to intercept the value of the component and send a different raw HTML string to the backend. As such, it is important that when outputting the HTML from a rich editor, it is sanitized; otherwise your site may be exposed to Cross-Site Scripting (XSS) vulnerabilities.
+
+When Filament outputs raw HTML from the database in components such as `TextColumn` and `TextEntry`, it sanitizes it to remove any dangerous JavaScript. However, if you are outputting the HTML from a rich editor in your own Blade view, this is your responsibility. One option is to use Filament's `sanitizeHtml()` helper to do this, which is the same tool we use to sanitize HTML in the components mentioned above:
+
+```blade
+{!! str($record->content)->sanitizeHtml() !!}
+```
+
 ## Customizing the toolbar buttons
 
 You may set the toolbar buttons for the editor using the `toolbarButtons()` method. The options shown here are the defaults. In addition to these, `'h1'` is also available:

diff --git a/packages/forms/docs/03-fields/11-markdown-editor.md b/packages/forms/docs/03-fields/11-markdown-editor.md
@@ -15,6 +15,16 @@ MarkdownEditor::make('content')
 
 <AutoScreenshot name="forms/fields/markdown-editor/simple" alt="Markdown editor" version="3.x" />
 
+## Security
+
+By default, the editor outputs raw Markdown and HTML, and sends it to the backend. Attackers are able to intercept the value of the component and send a different raw HTML string to the backend. As such, it is important that when outputting the HTML from a Markdown editor, it is sanitized; otherwise your site may be exposed to Cross-Site Scripting (XSS) vulnerabilities.
+
+When Filament outputs raw HTML from the database in components such as `TextColumn` and `TextEntry`, it sanitizes it to remove any dangerous JavaScript. However, if you are outputting the HTML from a Markdown editor in your own Blade view, this is your responsibility. One option is to use Filament's `sanitizeHtml()` helper to do this, which is the same tool we use to sanitize HTML in the components mentioned above:
+
+```blade
+{!! str($record->content)->markdown()->sanitizeHtml() !!}
+```
+
 ## Customizing the toolbar buttons
 
 You may set the toolbar buttons for the editor using the `toolbarButtons()` method. The options shown here are the defaults: