Comments and proposals may render Markdown. Improper rendering can lead to XSS.\n\nAction:\n- [ ] Identify all locations where Markdown is rendered in the frontend\n- [ ] Ensure only safe HTML tags are allowed (use DOMPurify or sanitize-html)\n- [ ] Test with common XSS payloads in Markdown format\n- [ ] Disable raw HTML in Markdown renderer (allowDangerousHtml: false)\n- [ ] Add Content Security Policy header to prevent inline script execution
Comments and proposals may render Markdown. Improper rendering can lead to XSS.\n\nAction:\n- [ ] Identify all locations where Markdown is rendered in the frontend\n- [ ] Ensure only safe HTML tags are allowed (use
DOMPurifyorsanitize-html)\n- [ ] Test with common XSS payloads in Markdown format\n- [ ] Disable raw HTML in Markdown renderer (allowDangerousHtml: false)\n- [ ] Add Content Security Policy header to prevent inline script execution