Allow some HTML tags in API request body (needed at least for HTML editor fields) (fixes #1228)

changelog/61_UNRELEASED_xxxx-xx-xx.md

@@ -15,3 +15,4 @@
 - Fixed that the success message on purchase displayed no amount when `FEATURE_FLAG_STOCK_PRICE_TRACKING` was disabled
 - Fixed that adding items to the shopping list from the context/more menu on the stock overview page did not work
 - Fixed that consuming was not possible when `FEATURE_FLAG_STOCK_LOCATION_TRACKING` was disabled
+- Fixed that adding images in text editor fields did not work

controllers/BaseController.php

@@ -202,7 +202,12 @@ class BaseController
 	{
 		if (self::$htmlPurifierInstance == null)
 		{
-			self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
+			$htmlPurifierConfig = \HTMLPurifier_Config::createDefault();
+			$htmlPurifierConfig->set('HTML.Allowed', 'div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src],table[border|width|style],tbody,tr,td,th,blockquote');
+			$htmlPurifierConfig->set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align');
+			$htmlPurifierConfig->set('URI.AllowedSchemes', ['data' => true]);
+
+			self::$htmlPurifierInstance = new \HTMLPurifier($htmlPurifierConfig);
 		}
 
 		$requestBody = $request->getParsedBody();