Allow heading tags (h1-h6) in ContentSanitizer so news editor headings render

tests/Feature/Dashboard/DashboardArtworkDescriptionValidationTest.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Artwork;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+it('rejects raw html when updating artwork descriptions from the dashboard editor', function (): void {
+    $user = User::factory()->create();
+    $artwork = Artwork::factory()->for($user)->create([
+        'title' => 'Dashboard Artwork',
+        'slug' => 'dashboard-artwork',
+        'description' => 'Original description',
+    ]);
+
+    $this->from(route('dashboard.artworks.edit', ['id' => $artwork->id]))
+        ->actingAs($user)
+        ->put(route('dashboard.artworks.update', ['id' => $artwork->id]), [
+            'title' => 'Dashboard Artwork',
+            'description' => '<img src="https://spam.example/test.jpg" alt="">',
+        ])
+        ->assertRedirect(route('dashboard.artworks.edit', ['id' => $artwork->id]))
+        ->assertSessionHasErrors(['description']);
+
+    expect($artwork->fresh()->description)->toBe('Original description');
+});

tests/Feature/Dashboard/ManageArtworkDescriptionValidationTest.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Http\Requests\Manage\ManageArtworkUpdateRequest;
+use Illuminate\Support\Facades\Validator;
+
+it('rejects raw html in the legacy manage artwork update request', function (): void {
+    $request = ManageArtworkUpdateRequest::create('/manage/123', 'POST', [
+        'title' => 'Legacy Manage Artwork',
+        'description' => '<img src="https://spam.example/test.jpg" alt="">',
+    ]);
+
+    $validator = Validator::make($request->all(), $request->rules());
+    $request->withValidator($validator);
+
+    expect($validator->fails())->toBeTrue()
+        ->and($validator->errors()->has('description'))->toBeTrue();
+});