code16
diff --git a/‎composer.json‎
Lines changed: 1 addition & 0 deletions b/‎composer.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎demo/composer.json‎
Lines changed: 1 addition & 0 deletions b/‎demo/composer.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎demo/composer.lock‎
Lines changed: 803 additions & 431 deletions b/‎demo/composer.lock‎
Lines changed: 803 additions & 431 deletions
diff --git a/‎docs/guide/building-entity-list.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/guide/building-entity-list.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/guide/form-fields/editor.md‎
Lines changed: 12 additions & 0 deletions b/‎docs/guide/form-fields/editor.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎docs/guide/form-fields/text.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/guide/form-fields/text.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/guide/form-fields/textarea.md‎
Lines changed: 4 additions & 1 deletion b/‎docs/guide/form-fields/textarea.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/guide/show-fields/text.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/guide/show-fields/text.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎package-lock.json‎
Lines changed: 31 additions & 0 deletions b/‎package-lock.json‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
@@ -27,6 +27,7 @@
         "league/commonmark": "^2.4",
         "masterminds/html5": "^2.8",
         "spatie/image-optimizer": "^1.6",
+        "symfony/html-sanitizer": "^7.3",
         "tightenco/ziggy": "^2.0"
     },
     "require-dev": {
 
@@ -17,6 +17,7 @@
         "pragmarx/google2fa": "^8.0",
         "spatie/image-optimizer": "^1.6",
         "spatie/laravel-translatable": "^6.0",
+        "symfony/html-sanitizer": "^7.3",
         "technikermathe/blade-lucide-icons": "^3.98",
         "tightenco/ziggy": "^1.8"
     },
 
@@ -53,6 +53,10 @@ Setting the label, allowing the column to be sortable and to display html is opt
 The optional `->setWidth()` method accepts either an integer (eg: `20` for 20%), a float (eg: `.2` for 20%) or a string (eg: `'20'` or `'20%'`); if missing, it will be deduced (you can use `->setWidthFill()` to force this last behavior).
 To hide the column on small screens, use `->hideOnSmallScreens()`.
 
+::: warning
+HTML sanitization is enabled by default for list fields (to prevent XSS attacks when displaying the list). You can disable it by using `->setSanitizeHtml(false)` field method.
+:::
+
 Sorting columns must be handled in the `getListData()` method, see below.
 
 #### Add a badge field
 
@@ -55,6 +55,10 @@ SharpFormEditorField::make("description")
      ]);
 ```
 
+::: warning
+HTML included using RAW_HTML button is not sanitized.
+:::
+
 If you have editor embeds you can add them to the toolbar alongside other buttons (instead of the embeds dropdown) :
 
 ```php
@@ -91,6 +95,10 @@ Unset the max character count.
 
 Display a character count in the status bar. Default is false.
 
+### `setSanitizeHtml(bool $sanitizeHtml = true)`
+
+Toggle HTML sanitization (enabled by default). See [security](#security).
+
 ## Embed images and files in content
 
 The Editor field can embed images or regular files. To use this feature, you must first allow the field to handle uploads:
@@ -245,6 +253,10 @@ This method expects an array of embeds that could be inserted in the content, de
 
 The [documentation on how to write an Embed class is available here](../form-editor-embeds.md).
 
+## Security
+
+Editor content is sanitized by default before storing the data (to prevent XSS attack when displaying HTML content). To disable sanitizing you can call `->setSanitizeHtml(false)`.
+
 ## Formatter
 
 - `toFront`: expects a string; will extract embedded files for the front.
 
@@ -32,6 +32,9 @@ Set a max character count.
 
 Unset the max character count.
 
+### `setSanitizeHtml()`
+
+Enable HTML sanitization (to prevent XSS attacks if this field data is used as raw HTML).
 
 ## Formatter
 
 
@@ -16,8 +16,11 @@ Set a max character count.
 
 Unset the max character count.
 
+### `setSanitizeHtml()`
+
+Enable HTML sanitization (to prevent XSS attacks if this field data is used as raw HTML).
 
 ## Formatter
 
 - `toFront`: expect a string.
-- `fromFront`: returns a string.
+- `fromFront`: returns a string.
@@ -20,12 +20,18 @@ Reset the collapse configuration.
 
 By default, the text is escaped. If you want to display HTML, set this to true.
 
+### `setSanitizeHtml(bool $sanitizeHtml = true)`
+
+HTML sanitization is enabled by default for text fields (to prevent XSS attacks when displaying the show). To disable it, call `->setSanitizeHtml(false)`.
+
+
 ### `allowEmbeds(array $embeds)`
 
 This method expects an array of embeds that could be inserted in the content, declared as full class names. An embed class must extend `Code16\Sharp\Form\Fields\Embeds\SharpFormEditorEmbed`.
 
 The [documentation on how to write an Embed class is available here](../form-editor-embeds.md).
 
+
 ## Transformer
 
 For markdown-formatted texts, be sure to use the built-in `MarkdownAttributeTransformer`:
 
@@ -68,6 +68,7 @@
     "class-variance-authority": "^0.7.0",
     "clsx": "^2.1.1",
     "cropperjs": "^1.5.12",
+    "dompurify": "^3.2.6",
     "filesize": "^10.1.0",
     "flexsearch": "^0.7.43",
     "leaflet": "^1.9.4",