Background / Issue
JurisdictionContent rich-text bodies are admin-authored HTML, so stored HTML must be sanitized to
prevent stored XSS. This is a precondition for enabling the structured-content editor for any
jurisdiction.
Technical Context
Acceptance Criteria
- A documented tag/attribute allowlist is enforced on write; a payload with disallowed tags/attrs
(including javascript: link targets) is stripped or rejected.
- Render passes stored HTML through the sanitizer as a defense-in-depth step.
- The sanitizer is in place before
enableDbDrivenContent is flipped on for any jurisdiction.
QA Notes
Backend/shared. Test known XSS vectors (script tags, on* handlers, javascript: hrefs, disallowed
tags) are removed on write and render; confirm allowed formatting survives.
Background / Issue
JurisdictionContentrich-text bodies are admin-authored HTML, so stored HTML must be sanitized toprevent stored XSS. This is a precondition for enabling the structured-content editor for any
jurisdiction.
Technical Context
defense-in-depth pass on render.
JurisdictionContent write path (JurisdictionContent service and admin CRUD #6511) and the seed migration's markdown conversion (Seed / data migration command #6519).
Acceptance Criteria
(including
javascript:link targets) is stripped or rejected.enableDbDrivenContentis flipped on for any jurisdiction.QA Notes
Backend/shared. Test known XSS vectors (script tags,
on*handlers,javascript:hrefs, disallowedtags) are removed on write and render; confirm allowed formatting survives.