🐛 [Bug][Backend, DB] Sanitize Group Properties `description`, `descriptionExcerpt` From Unwanted HTML Via `xssMiddleware`

Created by: Tirokk

🐛 Bugreport

In backend and db – sanitize group properties description, descriptionExcerpt from unwanted HTML via xssMiddleware.

See PR #5662 . If you find a different solution then I would remove it from my PR.

Wouldn't we need a migration anyhow, because there may be unsanitized HTML alreadfy in the db? @Mogge

Additional Informations

We thought about a solution where we give @roschaefer walkRecursive an additional optional argument where we say on which GQL types we like to sanitize a property. @Tirokk @Mogge

Old message from Discord:

If we like to use `xssMiddleware` to sanitise HTML before it gets stored in the db – what we should –  we have to rename the `Group` node properties `description`.

This is because of the sanitising mechanism @roschaefer#5565 implemented which depends on the property names.
Because of the very general naming `description` this name is used in other places as well which should not be sanitised this way. That's the main reason. I haven't seen this from the beginning.

I made this a part of my issue:
https://github.com/Ocelot-Social-Community/Ocelot-Social/pull/5662

Therefore we need two db migrations, because it is not possible to do it in one:

– One for the full-text index.
– One for the properties.

I hope this all finds your agreement @Dornhoeschen#4105 @moriz#0232 ?

In the second migration I like to integrate a HTML sanitising like in `xssMiddleware`. That's because we have not sanitised HTML in the db in this properties.
Is this cool with you?