Insufficient sanitization in rich text fields

[patrys]

Currently, Saleor does very basic sanitization of Editor.js content through the SanitizedJSONField, but it's not enough to prevent malicious staff users from inlining JavaScript if a renderer recklessly uses it to set innerHTML of an element.

We should use a tool like bleach with a short list of allowed tags and attributes to make sure clean_text_data actually prevents scripting attacks.

@mmiszy said he could provide a list of tags and attributes that are necessary for Editor.js to function.

It's a hardening task, as any client should sanitize untrusted content, so we're keeping the ticket public and will not assign a CVE.

[typeofweb]

It seems that the only tags that Editor.js uses in Saleor Dashboard are:

• b
• i
• a[href]

[JPaulMora]

Bleach has since been deprecated (see here mozilla/bleach#698), people are migrating to nh3 wich seems very fast.