Allow heading tags (h1-h6) in ContentSanitizer so news editor headings render

tests/Feature/Uploads/UploadArtworkPublishValidationTest.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Artwork;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+it('rejects publishing existing artwork drafts with raw html descriptions', function (): void {
+    $user = User::factory()->create();
+    $artwork = Artwork::factory()->for($user)->create([
+        'title' => 'Draft upload',
+        'slug' => 'draft-upload',
+        'is_public' => false,
+        'visibility' => Artwork::VISIBILITY_PRIVATE,
+        'is_approved' => false,
+        'published_at' => null,
+        'artwork_status' => 'draft',
+    ]);
+
+    $this->actingAs($user)
+        ->postJson("/api/uploads/{$artwork->id}/publish", [
+            'description' => '<figure><img src="https://spam.example/test.jpg" alt=""></figure>',
+        ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['description']);
+});

tests/Feature/Uploads/UploadAutosaveTest.php

@@ -163,3 +163,16 @@ it('invalid category rejected', function () {
 
     $response->assertStatus(422)->assertJsonValidationErrors(['category_id']);
 });
+
+it('rejects autosave descriptions with raw html', function () {
+    Storage::fake('local');
+
+    $owner = User::factory()->create();
+    $uploadId = createDraftUploadForAutosave($owner->id);
+
+    $response = $this->actingAs($owner)->postJson("/api/uploads/{$uploadId}/autosave", [
+        'description' => '<img src="https://spam.example/test.jpg" alt="">',
+    ]);
+
+    $response->assertStatus(422)->assertJsonValidationErrors(['description']);
+});