In order to protect our platform from cross-site scripting (XSS) attacks, we have an inbuilt data sanitisation feature that cleans any user input data on a text field.
In doing so we prevent users from being able to inject malicious code into your marketplace, but as a result there may be a difference in the output a user sees when they save changes to a text input field.
Data sanitisation is required and no action is necessary to enable it.
What is sanitised?
At present only those fields related to Adverts will be sanitised, including: title, description, comments, specifications, features, notes, and booking terms.
In future other user input data will be sanitised.
Impact on the user journey
When a user manually creates an advert, a user imports their adverts through integrations, or when an admin creates a text block using the page builder the following kinds of changes will occur...
Some characters will be HTML escaped, for example:
- & will become &
- Contiguous spaces will have inserted for each space in the series but one
- Quantity comparisons using > and < become gt; and lt;
- • becomes •
- ® becomes ®
- ™ becomes ™
- Quotation marks (‘, “, etc.) become ‘, ’, etc.
HTML/Markdown markup will be cleaned up, for example:
- Markup which is bolded will be lowercased: <B> becomes <b>
- Markup with self-closing tags will have the slash removed: <br /> becomes <br>
- <script> tags will be removed entirely
- If a <table> is missing <tbody> tags, then those will be inserted
- If a closing tag is missing it will insert that missing tag at the end of the text
- <font> tags will be removed entirely
Other actions include:
- Removing unwanted non-printing characters, such as: Unicode 009E