Pull request overview

This PR fixes an XSS vulnerability in the AnnouncementModal component by introducing DOMPurify to sanitize HTML content fetched from a remote announcement API before it is rendered via dangerouslySetInnerHTML.

Changes:

• Adds DOMPurify as a runtime dependency and configures a strict allowlist (tags, attributes, and URI schemes) for HTML sanitization.
• Sanitizes the announcement content before hashing and displaying it, and skips rendering if the sanitized result is empty.
• Updates package-lock.json to reflect the new dependency tree.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

Issues found:

1. @types/dompurify is a deprecated no-op (package.json line 15): The package-lock.json itself flags it as deprecated: "This is a stub types definition. dompurify provides its own type definitions, so you do not need this installed." It should be removed from package.json.

2. Reverse tabnabbing via target attribute (AnnouncementModal.tsx line 16): target is included in ANNOUNCEMENT_ALLOWED_ATTR, meaning announcement authors (or a compromised API) can inject target="_blank" on links. Without rel="noopener noreferrer", the opened page can access window.opener and redirect the parent tab. Either remove target from the allowlist, or add a DOMPurify afterSanitizeAttributes hook to enforce rel="noopener noreferrer" on any target="_blank" link.

3. One-time re-display for existing users (AnnouncementModal.tsx line 53, nit): The hash is now computed on sanitized content rather than raw content. Existing users who stored a hash of the raw announcement will see the current announcement one more time. This is a minor, one-time UX regression to be aware of.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Right now the announcement sanitizer strips style (FORBID_ATTR includes style, and it’s not in ALLOWED_ATTR). This breaks our existing announcement content that relies on inline styles to render “button-like” links (layout/spacing + CTA button appearance). We also have existing announcements with CTA/button jump behavior, and the current sanitization removes the necessary pieces so the CTAs degrade into plain text/unstyled links.

Please update the implementation to:

1. Allow style attributes to pass through for announcement HTML (at least for a controlled set of tags like a, div, span, p, etc.), so our CTA buttons and layout are preserved.
2. Ensure the announcement “button jump/redirect” behavior works as intended for existing content (e.g., the CTA links should still behave like buttons and remain usable after sanitization).

Important: keep the security guarantees. If you’re concerned about enabling arbitrary inline CSS, we can restrict allowed CSS properties (e.g., via DOMPurify hooks / a CSS allowlist) rather than forbidding style entirely. But as-is, this is a functional regression for announcements that include CTA buttons.