Skip to content

Tighten HtmlSanitizer policy #23

New issue
New issue
Open
Open
Tighten HtmlSanitizer policy#23
Labels
enhancementNew feature or request
@unrealbg

Description

@unrealbg
unrealbg
opened on Aug 22, 2025

Problem

Current HtmlSanitizer configuration may allow XSS via unsafe tags/attributes/CSS.

Proposal

  • Define and configure an explicit allowlist for tags, attributes, and CSS.
  • Strip inline event handlers/scripts.
  • Centralize and make configurable the policy, with unit tests for common XSS payloads.

Alternatives considered

  • Use default HtmlSanitizer policy.

Acceptance criteria

  • Inline event handlers/scripts stripped
  • Unit tests cover common XSS payloads
  • Policy centralized and configurable

Technical notes

  • Configure HtmlSanitizer in DI and reuse everywhere
  • Allow safe embeds as needed (e.g., a, p, img with src/alt)

Risks

  • Overzealous policy may break legitimate content embeds.

Additional context

Labels: security, backend, test

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions