Allow heading tags (h1-h6) in ContentSanitizer so news editor headings render

tests/Feature/Uploads/UploadAutosaveTest.php

@@ -163,3 +163,16 @@ it('invalid category rejected', function () {
 
     $response->assertStatus(422)->assertJsonValidationErrors(['category_id']);
 });
+
+it('rejects autosave descriptions with raw html', function () {
+    Storage::fake('local');
+
+    $owner = User::factory()->create();
+    $uploadId = createDraftUploadForAutosave($owner->id);
+
+    $response = $this->actingAs($owner)->postJson("/api/uploads/{$uploadId}/autosave", [
+        'description' => '<img src="https://spam.example/test.jpg" alt="">',
+    ]);
+
+    $response->assertStatus(422)->assertJsonValidationErrors(['description']);
+});