Disable XML/HTML filtering for a single field?

Hi all,

I have a Text field that needs to be field with XML data. Everything I press “save”, the XML data is getting filtered.

Is there a way to disable this filtering for a single field?



Try using the commands before saving and after retrieving the data: base64_encode and base64_decode.

Or have a look at a function called clean_incoming_data in include/utils.php

It applies the function secure_xss (with array_map) to each field in $_REQUEST, $_POST and $_GET, for every web request.

It’s completely the wrong way of doing security, and it is in my opinion, the biggest technical debt item in SuiteCRM (and there is a lot of competition for that title). I’d say there are at least 50 or 100 issues on Github caused by this alone.

Yes, the option using encode / decode will not work. The clean_incoming_data function works before.

Thanks for your comments.

The data is calculated/created by a save hook. For the past years I’ve keep editing the HtmlSanitizer.php to directly return the $dirtyhtml without any modification. This patch is neither secure nor upgrade.

The value can also be returned via an API call to a webform.


I’ve used this approach in the past:

In file custom/modules/EmailTemplates/EmailTemplate.php:


if (!defined('sugarEntry') || !sugarEntry) {
    die('Not A Valid Entry Point');

require_once 'modules/EmailTemplates/EmailTemplate.php';

class CustomEmailTemplate extends EmailTemplate
    public function cleanBean() {
        $this->body_html = $GLOBALS['RAW_REQUEST']['body_html'];

By overriding the function cleanBean (which calls cleanHtml) you can sometimes circumvent the entire scheme. In this case, I do it just for a single field. I actually let the clean up occur, but then revert to the original value…

You can adapt that to other modules.