From 157c6d49e8ea873287750e51d4b437d70f2f062d Mon Sep 17 00:00:00 2001
From: Gregor Klevze <gregor@klevze.si>
Date: Sat, 25 Apr 2026 08:12:46 +0200
Subject: [PATCH] Sanitize browse categories HTML output

---
 resources/views/browse-categories.blade.php | 10 +++++---
 tests/Unit/ContentSanitizerTest.php         | 28 +++++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/resources/views/browse-categories.blade.php b/resources/views/browse-categories.blade.php
index 79450f8c..8432016e 100644
--- a/resources/views/browse-categories.blade.php
+++ b/resources/views/browse-categories.blade.php
@@ -7,6 +7,10 @@
 @extends('layouts.nova')
 
 @section('content')
+    @php
+        $sanitizeHtml = fn (?string $value) => \App\Services\ContentSanitizer::sanitizeRenderedHtml($value ?? '');
+    @endphp
+
     <div class="effect2">
         <div class="page-heading">
             <h1 class="page-header">Browse Categories</h1>
@@ -24,7 +28,7 @@
                 <h2 class="panel-title">{{ $ct->name }}</h2>
             </div>
             <div class="panel-body">
-                <p>{!! $ct->description ?? '' !!}</p>
+                <p>{!! $sanitizeHtml($ct->description) !!}</p>
 
                 @php
                     $roots = $categoriesByType[$ct->slug] ?? $ct->rootCategories ?? collect();
@@ -37,7 +41,7 @@
                         @foreach ($roots as $category)
                             <li style="display:block;margin-bottom:8px;">
                                 <h4>{{ $category->name }}</h4>
-                                <p>{!! $category->description !!}</p>
+                                <p>{!! $sanitizeHtml($category->description) !!}</p>
                                 <ul style="list-style:none;padding:0;margin:0;">
                                     @foreach ($category->subcategories as $subcategory)
                                         @php
@@ -47,7 +51,7 @@
                                         @endphp
                                         <li style="width:19%;display:inline-block;vertical-align:top;">
                                             <img src="/gfx/icons/{{ $picture }}" width="15" height="15" alt="{{ $subcategoryName }}" />
-                                            <a href="{{ $subcategoryUrl }}" title="{{ $subcategoryName }}">{!! $subcategoryName !!}</a>
+                                            <a href="{{ $subcategoryUrl }}" title="{{ $subcategoryName }}">{{ $subcategoryName }}</a>
                                         </li>
                                     @endforeach
                                 </ul>
diff --git a/tests/Unit/ContentSanitizerTest.php b/tests/Unit/ContentSanitizerTest.php
index a9de15db..ca3ab073 100644
--- a/tests/Unit/ContentSanitizerTest.php
+++ b/tests/Unit/ContentSanitizerTest.php
@@ -77,6 +77,34 @@ test('render adds rel=noopener to external links', function () {
     expect($html)->toContain('rel="noopener noreferrer nofollow"');
 });
 
+test('sanitizeRenderedHtml keeps allowed formatting tags', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<p><strong>Bold</strong> and <em>italic</em> with <a href="/categories">link</a></p>');
+
+    expect($html)
+        ->toContain('<p>')
+        ->toContain('<strong>Bold</strong>')
+        ->toContain('<em>italic</em>')
+        ->toContain('<a href="/categories"')
+        ->toContain('rel="noopener noreferrer nofollow"');
+});
+
+test('sanitizeRenderedHtml strips script tags and event handlers', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<p onclick="evil()">Hello<script>alert(1)</script></p>');
+
+    expect($html)
+        ->not()->toContain('<script')
+        ->not()->toContain('onclick')
+        ->toContain('Hello');
+});
+
+test('sanitizeRenderedHtml strips javascript links', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<a href="javascript:alert(1)">click</a>');
+
+    expect($html)
+        ->not()->toContain('javascript:')
+        ->toContain('click');
+});
+
 // ── Legacy HTML conversion ────────────────────────────────────────────────────
 
 test('render converts legacy bold HTML to markdown output', function () {