Sanitize all text-based properties (textbox / textarea)

[simonech]

Background / context

Umbraco provides an IHtmlSanitizer interface that can be used to sanitize content coming from Rich Text Editors (RTEs).
This allows preventing malicious scripts, unwanted markup, or problematic formatting from being stored and rendered.

Out of the box, Umbraco ships with a No-op implementation, but projects with stricter requirements can register a custom sanitizer.

Problem statement

While RTE values go through the text sanitization pipeline, textbox and textarea properties do not.

As a result:

• editors can enter arbitrary markup or scripts in textbox/textarea fields
• sanitization (or encoding) is left entirely to frontend rendering
• this can easily introduce XSS vulnerabilities, especially when scripts, embeds, or iframes are involved so text cannot be encoded in the frontend (so rendered using Html.Raw)

This creates an inconsistency:

• RTE content supports optional sanitization
• plain text-based properties do not, even though they can contain markup

Proposed idea

Extend textbox and textarea datatypes with an optional sanitization flag.

Proposed behaviour:

• Add a new boolean setting to textbox and textarea datatypes
  (default: true)
• When the flag is enabled:
  • the value is passed through the same IHtmlSanitizer pipeline as RTE content
• When the flag is disabled:
  • the value is stored as-is (current behaviour)
  • editors can enter any markup or scripts intentionally

UX consideration

To avoid confusion:

• the sanitization option should only be visible if a custom IHtmlSanitizer implementation is registered
• this prevents a situation where sanitization appears to be enabled but has no effect due to the default No-op implementation

Open discussion

This discussion can be used to:

• validate whether aligning all text-based properties on the same sanitization model makes sense
• discuss defaults and backwards compatibility

Note

This ticket was discussed within the Umbraco Security & Privacy Advisors group; I’m formalising it here to gather broader feedback.