HumanSignal · laurence-hudson-mindfoundry · Sep 24, 2024
diff --git a/docs/source/tags/hypertext.md b/docs/source/tags/hypertext.md
@@ -18,6 +18,7 @@ Use with the following data types: HTML.
 | value | <code>string</code> |  | Value of the element |
 | [valueType] | <code>url</code> \| <code>text</code> | <code>text</code> | Whether the text is stored directly in uploaded data or needs to be loaded from a URL |
 | [inline] | <code>boolean</code> | <code>false</code> | Whether to embed HTML directly in Label Studio or use an iframe |
+| [sanitizeHtml] | <code>boolean</code> | <code>true</code> | Whether to sanitize the provided html (remove scripts etc) |
 | [saveTextResult] | <code>yes</code> \| <code>no</code> |  | Whether to store labeled text along with the results. By default, doesn't store text for `valueType=url` |
 | [encoding] | <code>none</code> \| <code>base64</code> \| <code>base64unicode</code> |  | How to decode values from encoded strings |
 | [selectionEnabled] | <code>boolean</code> | <code>true</code> | Enable or disable selection |

diff --git a/web/libs/editor/src/tags/object/RichText/model.js b/web/libs/editor/src/tags/object/RichText/model.js
@@ -41,6 +41,7 @@ const WARNING_MESSAGES = {
  * @param {string} value                                  - value of the element
  * @param {url|text} [valueType=url|text]                 – source of the data, check (Data retrieval)[https://labelstud.io/guide/tasks.html] page for more inforamtion
  * @param {boolean} [inline=false]                        - whether to embed html directly to LS or use iframe (only HyperText)
+ * @param {boolean} [sanitizeHtml=true]                   - whether to sanitize the provided html (only HyperText)
  * @param {boolean} [saveTextResult=true]                 – whether or not to save selected text to the serialized data
  * @param {boolean} [selectionEnabled=true]               - enable or disable selection
  * @param {boolean} [clickableLinks=false]                – allow annotator to open resources from links
@@ -57,6 +58,8 @@ const TagAttrs = types.model("RichTextModel", {
 
   inline: false,
 
+  sanitizehtml: types.optional(types.boolean, true),
+
   /** Whether or not to save selected text to the serialized data */
   savetextresult: types.optional(types.enumeration(["none", "no", "yes"]), () =>
     window.LS_SECURE_MODE ? "no" : "none",
@@ -235,7 +238,7 @@ const Model = types
         // clean up the html — remove scripts and iframes
         // nodes count better be the same, so replace them with stubs
         // we should not sanitize text tasks because we already have htmlEscape in view.js
-        if (isFF(FF_SAFE_TEXT) && self.type === "text") {
+        if (!self.sanitizehtml || (isFF(FF_SAFE_TEXT) && self.type === "text")) {
           self._value = String(val);
         } else {
           self._value = sanitizeHtml(String(val));