Sanitize browse categories HTML output

tests/Unit/ContentSanitizerTest.php

@@ -77,6 +77,34 @@ test('render adds rel=noopener to external links', function () {
     expect($html)->toContain('rel="noopener noreferrer nofollow"');
 });
 
+test('sanitizeRenderedHtml keeps allowed formatting tags', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<p><strong>Bold</strong> and <em>italic</em> with <a href="/categories">link</a></p>');
+
+    expect($html)
+        ->toContain('<p>')
+        ->toContain('<strong>Bold</strong>')
+        ->toContain('<em>italic</em>')
+        ->toContain('<a href="/categories"')
+        ->toContain('rel="noopener noreferrer nofollow"');
+});
+
+test('sanitizeRenderedHtml strips script tags and event handlers', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<p onclick="evil()">Hello<script>alert(1)</script></p>');
+
+    expect($html)
+        ->not()->toContain('<script')
+        ->not()->toContain('onclick')
+        ->toContain('Hello');
+});
+
+test('sanitizeRenderedHtml strips javascript links', function () {
+    $html = ContentSanitizer::sanitizeRenderedHtml('<a href="javascript:alert(1)">click</a>');
+
+    expect($html)
+        ->not()->toContain('javascript:')
+        ->toContain('click');
+});
+
 // ── Legacy HTML conversion ────────────────────────────────────────────────────
 
 test('render converts legacy bold HTML to markdown output', function () {