When fetching a Product (and some other entities) from the REST API, there’s a body_html property that contains HTML. Is that guaranteed to be sanitized, i.e. safe to render in a browser? If I uploaded HTML that contained a tag, for example, then fetched that Product, would the returned body_html include that script tag?
Seems like it would have to be, but I can’t find anything that says for sure.
The REST API has the body_html property which is not sanitized. Script tags if entered in the product description will come back as such. The GraphQL API has 2 different fields description and descriptionHtml. descriptionHtml field behaves like body_html and will return the exact HTML code entered in the description field(as per docs). The description field will have the content with all the tags removed.