Possibility to disable HTML Sanitizer
With 6.5, the HTML Sanitizer was added, which removes possible malicious code in the text editor in the admin. There are possibilities to add certain bypasses, but no possibility to disable it completely.
For example, some CSS attributes cannot be bypassed because they are simply not supported by HTML Purifier.
Please add a function to disable this completely. About e.g. the shopware.yaml or .env
Philipp Fuge commented
Cant even do basic image tags anymore.
Stefan Brockhaus commented
The sanitizer keeps us from updating a multichannel instance to 6.5. Even though this implementation is an OWASP recommendation, we would like to have an easy choice to disable the sanitizer.
I agree with the initiator of this "idea" and other two commentators in their statements.
Tobias Pierschel commented
In my opinion, the switch should be added in the administration not in a hidden yaml file.
Dennis Mertens commented
But the intention of the sanitizer is against the use case of the Text-Element in most shops.
Also, CMS, Productdescriptions etc. have many html-code also html code with Shop specific features.
We still need the Code more than we need the security feature.
Just take a look at your SW6 showcases!
BVB Shop has some icons with HTML in the product description. -> not possible with sanitizer and you can’t get every secure HTML code.