Summary
The descriptionHtml field (added in #727) is rendered via Astro's set:html directive in src/components/overrides/PageTitle.astro (connector and non-connector branches) without any HTML sanitization. It is only typed as z.string().optional() in src/content.config.ts.
While current values in src/data/agent-connectors/description-html.json and MDX frontmatter are benign, any future value containing scripts, event handlers, or unsafe URLs (javascript:, data:) would be injected as-is.
Risk
XSS via frontmatter or data-file values if unsafe HTML is introduced in the future.
Suggested Fix
Sanitize descriptionHtml before rendering — allow only safe tags/attributes (e.g., <a> with http/https hrefs) using a vetted library such as DOMPurify or sanitize-html. Optionally enforce the allowlist at ingest time in the content schema as well.
References
/cc @saif-at-scalekit
Summary
The
descriptionHtmlfield (added in #727) is rendered via Astro'sset:htmldirective insrc/components/overrides/PageTitle.astro(connector and non-connector branches) without any HTML sanitization. It is only typed asz.string().optional()insrc/content.config.ts.While current values in
src/data/agent-connectors/description-html.jsonand MDX frontmatter are benign, any future value containing scripts, event handlers, or unsafe URLs (javascript:,data:) would be injected as-is.Risk
XSS via frontmatter or data-file values if unsafe HTML is introduced in the future.
Suggested Fix
Sanitize
descriptionHtmlbefore rendering — allow only safe tags/attributes (e.g.,<a>withhttp/httpshrefs) using a vetted library such asDOMPurifyorsanitize-html. Optionally enforce the allowlist at ingest time in the content schema as well.References
/cc @saif-at-scalekit