fix: sanitize RichText HTML (XSS) and patch rollup path traversal vuln

[Copilot]

RichText.jsx wrote the value HTML string directly to the DOM via innerHTML and dangerouslySetInnerHTML with no sanitization, enabling event-handler injection (e.g. <img onerror="...">). A pre-existing high-severity rollup path traversal (GHSA-mw96-cpmx-2vgc) was also present as a transitive dependency.

Changes

• XSS fix — RichText.jsx: Import DOMPurify 3.3.2 and sanitize value at both injection points:

  // useEffect sync
  el.innerHTML = DOMPurify.sanitize( value || '' );
  
  // RichText.Content save output
  dangerouslySetInnerHTML={ { __html: DOMPurify.sanitize( value ) } }

• Dependency updates:

  • rollup → 4.59.0 (patches GHSA-mw96-cpmx-2vgc, Arbitrary File Write via Path Traversal)
  • vite → 7.3.1 (resolves the transitive rollup pin)
  • dompurify → 3.3.2 (new dependency, no known advisories)

Version alignment (confirmed, no changes)

Remote release tag v2.0.0, package.json, and CHANGELOG top entry all match — no discrepancy.

Original prompt

/create-agent A security researcher for JavaScript or typescript.

[Chronological Review: The conversation began with the user questioning the accuracy of the release version on the remote repository, specifically asking if it was still at version 1.0 despite updates in the CHANGELOG. The user confirmed their inquiry with a simple "Yes."]

[Intent Mapping: The user explicitly requested confirmation about the release version on the remote repository, indicating a concern that it may not reflect recent changes documented in the CHANGELOG.]

[Technical Inventory: The conversation references a Git repository named "Gutendocs," owned by "flexseth," with the current and default branch being "main." The user is likely involved in version control and release management.]

[Code Archaeology: No specific files or code changes were discussed in detail during this exchange, but the CHANGELOG is implied to be a relevant document.]

[Progress Assessment: The user is seeking clarification on the release version, indicating that they are in a review or verification phase regarding version control.]

[Context Validation: The user’s inquiry about the release version and the CHANGELOG suggests they are preparing for a release or need to ensure that the versioning is correct before proceeding with further actions.]

[Recent Commands Analysis: The last agent command involved retrieving information about the repository "Gutendocs," which includes details about the current branch and owner. The tool results confirmed the repository's status but did not provide specific versioning information. The agent was actively engaged in clarifying the release version when the token budget was exceeded.]

1. Conversation Overview: - Primary Objectives: The user requested confirmation about the release version on the remote repository, asking, "The release version on the remote is still 1.0 - is that accurate? I thought we upped it in the CHANGELOG?" - Session Context: The conversation focused on verifying the release version in relation to updates made in the CHANGELOG, indicating a concern for accurate versioning. - User Intent Evolution: The user's intent remained consistent, seeking clarity on the versioning status of the repository.

2. Technical Foundation:

• Repository: Gutendocs
• Owner: flexseth
• Current Branch: main
• Default Branch: main

3. Codebase Status:

• CHANGELOG:
• Purpose: To document version changes and updates for the project.
• Current State: The user believes it has been updated but is questioning the reflected version on the remote.
• Key Code Segments: Not specified in the conversation.
• Dependencies: Related to version control and release management.

4. Problem Resolution:

• Issues Encountered: Uncertainty regarding the accuracy of the release version on the remote repository.
• Solutions Implemented: None yet, as the user is still inquiring about the status.
• Debugging Context: The user is verifying versioning before proceeding with further actions.
• Lessons Learned: Importance of aligning the CHANGELOG with the actual release version.

5. Progress Tracking:

• Completed Tasks: User has confirmed their inquiry about the release version.
• Partially Complete Work: Awaiting confirmation on the release version status.
• Validated Outcomes: None yet, as the inquiry is still open.

6. Active Work State:

• Current Focus: The user is focused on verifying the release version of the repository.
• Recent Context: The user asked about the accuracy of the release version and confirmed their inquiry.
• Working Code: No specific code was discussed in this context.
• Immediate Context: The user was questioning the release version when the token budget was exceeded.

7. Recent Operations:

• Last Agent Commands: The agent retrieved information about the repository "Gutendocs."
• Tool Results Summary: The repository details were confirmed, but specific versioning information was not provided.
• Pre-Summary State: The agent was actively clarifying the release version when the token budget was exceeded.
• Operation Context: The commands were executed to provide context for the user's inquiry about versioning.

8. Continuation Plan:

• Pending Task 1: Confirm the actual release version on the remote repository and compare it with the CHANGELOG.
• Pending Task 2: Investigate any discrepancies between the CHANGELOG and the remote version.
• Priority Information: Verifying the release version is critical before any further actions can be taken.
• Next Action: The immediate next step is to check the remote repository for the current release version and ensure it aligns with the CHANGELOG updates.

Created from VS Code.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gutendocs	Ready	Preview, Comment	Mar 6, 2026 8:48pm