Allow heading tags (h1-h6) in ContentSanitizer so news editor headings render

app/Http/Controllers/Api/LinkPreviewController.php

@@ -53,7 +53,12 @@ class LinkPreviewController extends Controller
             return response()->json(['error' => 'Invalid URL.'], 422);
         }
 
-        // Resolve hostname and block private/loopback IPs (SSRF protection)
+        // Resolve hostname and block private/loopback IPs (SSRF protection).
+        // NOTE: This check is not atomic with Guzzle's own DNS resolution — a
+        // DNS rebinding attack could theoretically pass this check and then
+        // resolve to an internal IP when Guzzle makes the actual request.
+        // Risk is low (requires attacker-controlled DNS with very short TTL),
+        // but this is a known limitation of the current approach.
         $resolved = gethostbyname($host);
         if ($this->isBlockedIp($resolved)) {
             return response()->json(['error' => 'URL not allowed.'], 422);