That’s correct, otherwise there are a million markup exploits we are open to. I think that’s a default for the onebox…
I agree with not parsing the HTML, but passing it though Sanitize.clean might make it look better. eg.
The extension integrates your Magento 2 store with the Stripe payment service.
Sure that’s a good idea @zogstrip – I think you touched this last, for the prior round of Hacker One fixes?
I’ve addded HTML stripping to the description in the latest onebox. Should be deployed shortly: