Bluemonday sanitization profiles for block content

[tayebmokni]

Summary

Configure the four bluemonday sanitization profiles in pkg/security/sanitize/policies.go per doc 13 §4.2: CommentsUGC (extremely tight: p, br, em, strong, code, blockquote, lists, anchor with rel-nofollow), PostContent (richer authoring HTML), BlockOutput (typed backstop), and PluginOutput (matches BlockOutput; plugins cannot exceed). These power the XSS pipeline layers L2 (server render), L5 (plugin host injection), and the on-save comment sanitization.

Design reference

• docs/13-security-baseline.md §4.1 (layer responsibilities), §4.2 (Bluemonday profiles), §4.6 (plugin-rendered HTML)

Acceptance criteria

• pkg/security/sanitize/policies.go exports CommentsUGC(), PostContent(), BlockOutput(), PluginOutput()
• CommentsUGC: only p, br, em, strong, code, blockquote, ul, ol, li, a; rel-nofollow + target=_blank on external anchors; parseable URLs required
• PostContent: based on UGCPolicy with images allowed; class attr on common elements; loading attr on img; data URI images allowed
• BlockOutput and PluginOutput aliased to PostContent semantics
• Unit tests cover known-malicious payloads (script tags, event handlers, javascript: URLs, data: scripts) for each profile
• unfiltered_html bypass path documented and tested (super-admin only; never for comments)

Dependencies

none

Complexity

M

[tayebmokni]

Closing as DONE — implementation landed across the 280+ PRs shipped to date. See triage-report.md (2026-05-25 backlog audit) for the specific file/package evidence. Re-open with a specific gap if any acceptance criterion is missed.