From 11ae40e62edd3da044d37ebf264757a09cc2347b Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Wed, 18 Feb 2026 13:41:43 -0500
Subject: [PATCH] [6.x] Sanitize html in html fieldtype (#13990)

---
 lang/en/fieldtypes.php                         |  1 +
 package-lock.json                              | 17 +++++++++++++++++
 package.json                                   |  1 +
 .../js/components/fieldtypes/HtmlFieldtype.vue | 18 ++++++++++--------
 src/Fieldtypes/Html.php                        |  6 ++++++
 5 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/lang/en/fieldtypes.php b/lang/en/fieldtypes.php
index 1267da4ec98..9f4ddea6a4e 100644
--- a/lang/en/fieldtypes.php
+++ b/lang/en/fieldtypes.php
@@ -110,6 +110,7 @@
     'group.title' => 'Group',
     'hidden.title' => 'Hidden',
     'html.config.html_instruct' => 'Manage the HTML to be displayed in the publish form. This is for display purposes only, the HTML will not be saved.',
+    'html.config.sanitize_instruct' => 'Whether the HTML should be sanitized before being displayed. Only disable this if you have a good reason.',
     'html.title' => 'HTML',
     'icon.config.set' => 'The name of a custom icon set.',
     'icon.title' => 'Icon',
diff --git a/package-lock.json b/package-lock.json
index f00c11f114d..5362305ca8e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -50,6 +50,7 @@
         "codemirror": "5.65.12",
         "cookies-js": "^1.2.2",
         "cva": "^1.0.0-beta.3",
+        "dompurify": "^3.3.1",
         "floating-vue": "^5.2.2",
         "fuzzysort": "^3.1.0",
         "highlight.js": "^11.7.0",
@@ -2882,6 +2883,13 @@
         "csstype": "^3.2.2"
       }
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/unist": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
@@ -4414,6 +4422,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
+      "integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
diff --git a/package.json b/package.json
index 9323cbe244e..8c532337a0b 100644
--- a/package.json
+++ b/package.json
@@ -63,6 +63,7 @@
     "codemirror": "5.65.12",
     "cookies-js": "^1.2.2",
     "cva": "^1.0.0-beta.3",
+    "dompurify": "^3.3.1",
     "floating-vue": "^5.2.2",
     "fuzzysort": "^3.1.0",
     "highlight.js": "^11.7.0",
diff --git a/resources/js/components/fieldtypes/HtmlFieldtype.vue b/resources/js/components/fieldtypes/HtmlFieldtype.vue