Josh Knapp bd15a33984 sitesmith: harden HtmlBlock with DOMPurify + add Vitest setup ...

Closes XSS hole in HtmlBlock by sanitizing user/AI-supplied markup
through DOMPurify before passing to dangerouslySetInnerHTML. Adds
Vitest + jsdom for unit testing with 5 passing tests covering script
stripping, on-event handler removal, javascript: URL blocking, iframe
allowlist, and form/input stripping.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-23 14:13:42 -07:00

107 KiB

Raw Blame History

View Raw