fix: Sanitize mention href (#11993)

* fix: Sanitize mention href * Add llm instructions * Potential fix for pull request finding
2026-06-13 11:25:03 +03:00 · 2026-04-09 21:07:14 -04:00
parent 21d4816a00
commit 15524cdd08
2 changed files with 4 additions and 2 deletions
@@ -188,6 +188,7 @@ yarn test:shared   # All shared code tests
 ## Security

 - Sanitize all user input.
+- Always use `sanitizeUrl()` when setting `href` or `src` from user-controlled data in ProseMirror `toDOM` methods, regardless of whether it is imported via an alias or a relative path. Unlike React components, `toDOM` writes raw DOM and does not sanitize attribute values.
 - Use CSRF protection.
 - Use rateLimiter middleware for sensitive endpoints.
 - Follow OWASP guidelines.