From b223acd052511d8b4987bb9dc9f4b6291740aaa2 Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:16:14 +0800
Subject: [PATCH] fix(blog): sanitize post HTML to prevent stored XSS (fixes
 #57)

---
 apps/logicsrc-web/package.json                 |  2 ++
 apps/logicsrc-web/src/app/blog/[slug]/page.tsx | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/apps/logicsrc-web/package.json b/apps/logicsrc-web/package.json
index 68fe012..9a539b5 100644
--- a/apps/logicsrc-web/package.json
+++ b/apps/logicsrc-web/package.json
@@ -15,6 +15,7 @@
     "@profullstack/autoblog": "github:profullstack/autoblog#75e54af",
     "@supabase/supabase-js": "^2.105.4",
     "marked": "^18.0.5",
+    "sanitize-html": "^2.17.0",
     "next": "16.2.6",
     "react": "19.2.0",
     "react-dom": "19.2.0"
@@ -23,6 +24,7 @@
     "@playwright/test": "^1.57.0",
     "@types/node": "^24.10.1",
     "@types/react": "^19.2.0",
+    "@types/sanitize-html": "^2.13.0",
     "@types/react-dom": "^19.2.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.8"
diff --git a/apps/logicsrc-web/src/app/blog/[slug]/page.tsx b/apps/logicsrc-web/src/app/blog/[slug]/page.tsx
index 1e48ab9..04c3b4a 100644
--- a/apps/logicsrc-web/src/app/blog/[slug]/page.tsx
+++ b/apps/logicsrc-web/src/app/blog/[slug]/page.tsx
@@ -2,6 +2,7 @@ import Link from "next/link";
 import { notFound } from "next/navigation";
 import type { ReactNode } from "react";
 import type { Metadata } from "next";
+import sanitizeHtml from "sanitize-html";
 import { publicClient } from "@/lib/supabase";
 import { SiteShell } from "@/components/site-shell";
 
@@ -114,7 +115,15 @@ export default async function BlogPostPage({
         <div
           className="blog-content"
           style={{ lineHeight: 1.7 }}
-          dangerouslySetInnerHTML={{ __html: post.html }}
+          dangerouslySetInnerHTML={{
+            __html: sanitizeHtml(post.html, {
+              allowedTags: sanitizeHtml.defaults.allowedTags.concat(["img", "h1", "h2", "h3"]),
+              allowedAttributes: {
+                ...sanitizeHtml.defaults.allowedAttributes,
+                img: ["src", "alt", "width", "height"],
+              },
+            }),
+          }}
         />
       </article>
     </SiteShell>