Add PropertyString, cleanHtml helper and escapeOrCleanHtml helper.

composer.json

@@ -53,6 +53,7 @@
         "composer/package-versions-deprecated": "1.11.99.5",
         "composer/semver": "3.4.3",
         "endroid/qr-code": "5.1.0",
+        "ezyang/htmlpurifier": "4.17.0",
         "guzzlehttp/guzzle": "7.9.2",
         "jaybizzle/crawler-detect": "^1.2",
         "laminas/laminas-cache": "3.12.2",

config/vufind/config.ini

@@ -2641,3 +2641,10 @@ description = "The REST API provides access to search functions and records cont
 ; By default, VuFind sorts text in a locale-agnostic way; if this setting is
 ; turned on, the current user-selected locale will impact sort order.
 ;use_locale_sorting = true
+
+; By default HTML is not allowed in record fields, but support for sanitized HTML
+; can be enabled per field type.
+[HTML_Fields]
+;title = false
+;title-alt = false
+;summary = false

module/VuFind/src/VuFind/Content/Summaries/Demo.php

@@ -29,6 +29,8 @@
 
 namespace VuFind\Content\Summaries;
 
+use VuFind\String\PropertyString;
+
 /**
  * Demo (fake data) summaries content loader.
  *
@@ -56,6 +58,8 @@ public function loadByIsbn($key, \VuFindCode\ISBN $isbnObj)
         return [
             'Demo summary key: ' . $key,
             'Demo summary ISBN: ' . $isbnObj->get13(),
+            (new PropertyString('Demo non-HTML summary'))
+                ->setHtml('<strong>Demo HTML Summary:</strong><ul><li>Item 1</li><li>Item 2</li></ul>'),
         ];
     }
 }

module/VuFind/src/VuFind/Content/Summaries/Syndetics.php

@@ -29,6 +29,8 @@
 
 namespace VuFind\Content\Summaries;
 
+use VuFind\String\PropertyString;
+
 /**
  * Syndetics Summaries content loader.
  *
@@ -110,7 +112,7 @@ public function loadByIsbn($key, \VuFindCode\ISBN $isbnObj)
                 // If we have syndetics plus, we don't actually want the content
                 // we'll just stick in the relevant div
                 if ($this->usePlus) {
-                    $summaries[] = $sourceInfo['div'];
+                    $summaries[] = PropertyString::fromHtml($sourceInfo['div'])->setHtmlTrusted(true);
                 } else {
                     // Get the marc field for summaries. (520)
                     $nodes = $xmldoc2->GetElementsbyTagName('Fld520');

module/VuFind/src/VuFind/RecordDriver/DefaultRecord.php

@@ -1271,9 +1271,9 @@ public function getSystemDetails()
     public function getSummary()
     {
         // We need to return an array, so if we have a description, turn it into an
-        // array (it should be a flat string according to the default schema, but we
-        // might as well support the array case just to be on the safe side:
-        return (array)($this->fields['description'] ?? []);
+        // array (it is a flat string in the default Solr schema, but we also
+        // support multivalued fields for other backends):
+        return $this->getFieldAsArray('description');
     }
 
     /**
@@ -1816,4 +1816,23 @@ public function getCoordinateLabels()
     {
         return (array)($this->fields['long_lat_label'] ?? []);
     }
+
+    /**
+     * Get a field as an array
+     *
+     * @param string $field Field
+     *
+     * @return array
+     */
+    protected function getFieldAsArray(string $field): array
+    {
+        // Make sure to return only non-empty values:
+        $value = $this->fields['description'] ?? '';
+        if ('' === $value) {
+            return [];
+        }
+        // Avoid casting since description can be a PropertyString too (and casting would return an array of object
+        // properties):
+        return is_array($value) ? $value : [$value];
+    }
 }