Sanitize markdown in maintainers IssuesTab discussion rendering (RenderMarkdownContent)

[Jagadeeshftw]

📌 Description

IssuesTab (src/features/maintainers/components/issues/IssuesTab.tsx) renders discussion content via RenderMarkdownContent from src/app/utils/renderMarkdown.tsx, which uses react-markdown with no explicit sanitization and no javascript: link guard. Discussion text originates from external GitHub content.

💡 Why it matters: Unsanitized maintainer-discussion markdown is an XSS vector.

🧩 Requirements and context

• Add rehype-sanitize (or equivalent) to RenderMarkdownContent.
• Block javascript:/data: URLs in links.
• Ensure raw HTML in markdown is not rendered.
• Add tests asserting script/HTML payloads are neutralized.

Non-functional requirements

• Must be secure, tested, and documented.
• Should be efficient and easy to review.

🛠️ Suggested execution

1. Fork the repo and create a branch

git checkout -b security/sanitize-discussion-markdown

2. Implement changes

• Write/modify the relevant source: src/app/utils/renderMarkdown.tsx
• Write comprehensive tests: src/app/utils/renderMarkdown.test.tsx
• Add documentation: TSDoc + security note
• Include TSDoc doc comments
• Validate security assumptions: XSS payloads neutralized

3. Test and commit

• Run tests:

npm run test

• Cover edge cases: <script>, inline event handlers, javascript: links
• Include test output and security notes in the PR description.

Example commit message

fix(security): sanitize discussion markdown rendering

✅ Acceptance criteria

• Sanitization plugin applied
• Dangerous URL schemes blocked
• Raw HTML not rendered
• Tests assert payloads neutralized

🔒 Security notes

Mitigates stored XSS from external GitHub discussion content.

📋 Guidelines

• Minimum 95% test coverage
• Clear documentation
• Timeframe: 96 hours

[444notdotun]

Hi,

With 4 years of hands-on experience across backend, frontend, and smart contract development, I'm confident I can complete this task quickly and to a high standard. I've reviewed the requirements in detail and fully understand what's needed.

My focus is on writing clean, efficient, and maintainable code backed by thorough testing and industry best practices. I'll ensure the solution is production-ready and delivered on time.

I expect to have my PR ready in less than 10 hours.

[leocagli]

This one looks interesting — I have a clear idea of how to approach it. Please assign me.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@leocagli's PR #214 was approved and merged by @Jagadeeshftw.

🏆 @leocagli: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (611 total points). Track your full progress on GrantFox.

👏 Great work, @leocagli! Keep contributing to Grainlify.