-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(surveys): Add question html support #17847
Conversation
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
@@ -496,6 +496,7 @@ def hashed_identifier(self, feature_flag: FeatureFlag) -> Optional[str]: | |||
return self.hash_key_overrides[feature_flag.key] | |||
return self.distinct_id | |||
else: | |||
# TODO: Don't use the cache if self.groups is empty, since that means no groups provided anyway |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this a part of the PR? :o
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
whoops, no, but was meant to go in anyway 😅 - notes for fixing a few decide issues, whenever I get to them.
I'm going to test this locally and then merge if it's all good |
I feel like we should actually prevent the user from creating the survey if they have script in their description HTML. Removing them on save works too but since we're going to great lengths to prevent it anyway, maybe we should be more direct by just form erroring them entirely? Anyway not really a blocker and everything else is working, so I'll leave it to you to decide! |
The tricky bit is that there are several ways to get a script inside:
and there's a second benefit of sanitising which we seriously need: To fix malformed html, per user input error, or close unclosed tags. This doesn't affect the preview much, but would completely break the actual survey if there are malformed tags. So, we're always doing some adjustments on save. And at this stage instead of making exceptions for a small class of script tags, I felt it better to just go the route of "we will clean up your HTML no matter what it is" |
Problem
Fixes #17506
Depends on PostHog/posthog-js#824
We sanitize inputs
Changes
👉 Stay up-to-date with PostHog coding conventions for a smoother review.
How did you test this code?