I'm using a static html module in the standard Prismic page editor. I'm making a simple article page. Now and then I need a custom element and will insert it using standard html code. We have used this for many pages previously and the bug seems to affect all pages we have in the system. The bug first arose two days ago and it started deleting all class attributes from all my html elements. See attached screenshot.
Our team just noticed this as well. Initially entering the class to element(s) does apply it to the rendered html, and although it is stripped (visually) when we re-open, the classes continue to render out in the html ... as long as we don't make further edits to the field.
So, it appears the attribute is stripped in the editor, but persists in the data, as long as we don't overwrite the field with new data.
I'll investigate the preformated suggestion (admittedly, I'm not sure I understand that yet), but we're interested in this conversation, so I'm watching it for now.
Hello! We are seeing something very similar, and it's breaking our workflow.
(Note: Although we don't want to have some "raw HTML" input fields, there are some scenarios where the Prismic UI is overly-restrictive, and therefore having a "raw HTML input via a Key Text field is simply the only pragmatic solution for us. For example, the rich text editor does not let us input CTAs, or tables, or input forms, or all sorts of other things that might be needed.)
This sounds likely to me. However, if that's the case then I think your security fix needs to be implemented differently; Prismic should never be changing the raw data entered into Key Text fields (or any other fields, for that matter!).
In particular, what we have found is:
A non-repeatable sectionKey Text field does not perform any sort of "HTML sanitisation", which is correct/expected behaviour.
A repeatable sectionKey Text field is trying to "sanitise" the HTML, which is incorrect. For example, <a class="foo" href="/">Hello</a> is being sanitised into <a href="/">Hello</a>.
The error is evident, any attribute given to a tag (tested with div and a tags) will be deleted and if the page is saved the contents are destroyed. I've tested this with class and data-src atrtibutes.
The only workaround for this at the minute is to use a Rich Text field with the prefformatted text style for code snippets.
closed , flag & select 'Something Else' to reopen.
This thread is being monitored as an open ticket in the internal Prismic issue tracker. The Prismic support team will update this post as we get more information from our dev team. If you have a similar use-case, you can ‘Flag’ this topic to reopen and add it here.