mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
* fix: sanitize markdown rendering in comments and shared renderers Add rehype-sanitize to both ReadonlyContent and Markdown components so that raw HTML parsed by rehype-raw is sanitized against a strict allowlist before reaching the DOM. On the backend, add a bluemonday sanitization pass when creating and updating comments to strip dangerous tags as defense-in-depth. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add mention:// protocol to sanitize allowlist and validate file card URLs - Add mention:// to rehype-sanitize protocols.href in both ReadonlyContent and Markdown so @mention links survive sanitization - Validate data-href on file cards to only allow http(s) URLs, blocking javascript: and data: schemes in both frontend click handler and backend bluemonday policy - Narrow class attribute allowlist to specific elements (code, div, span, pre) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>