unsafeHTML

[nemi-notrace]

this is .. unsafe ;) we likely need to check the HTML there. or only allow strings not html. we cannot inject any HTML coming from the repco node into the DOM, this opens it up to XSS etc vulnerabilities.

this is a bit of a bigger issue that we'll have to address in repco. for now, we should either sanitze the HTML here or convert it to string only (remove all html tags).

Originally posted by @Frando in #60 (comment)

[nemi-notrace]

I will fix this by using the HTML Sanitizer API for now.

However, I don't think this is a good and permanent solution on the one hand because we already need it for the frontend and I also think that a repco node should guarantee secure content or the clients. This also goes further that we need better validation on the import itself. For the HTML problem I would suggest we do the sanatizing on the import from the datasource. If the original content is needed in a special case, you have to fish it out of the SourceRecord, which we also store, in a more complicated way.