From c2218e4c8c88b3b774e26d0f3d9424ddfe5387e8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:43:42 +0000
Subject: [PATCH 1/3] Initial plan


From d175cb33ada8d0b2b9173c70a52e12ede11071f4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:45:17 +0000
Subject: [PATCH 2/3] Add HtmlSanitizer package to TextHTML plugin

Agent-Logs-Url: https://github.com/fluentcms/FluentCMS/sessions/3dec0a96-d3c2-4c65-b9ba-866ae059056a

Co-authored-by: pournasserian <24959477+pournasserian@users.noreply.github.com>
---
 .../FluentCMS.Web.Plugins.TextHTML.csproj                     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
index e1cfd29dc..6005e9744 100644
--- a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
+++ b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
@@ -27,4 +27,8 @@
     <None Include="..\..\..\icon.png" Pack="true" PackagePath="icon.png" />
     <None Include="README.md" Pack="true" PackagePath="README.md" />
   </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="HtmlSanitizer" Version="8.1.870" />
+  </ItemGroup>
 </Project>

From de3a4639366bcde1294bf9abd680e582e7cd90bf Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:50:41 +0000
Subject: [PATCH 3/3] Fix XSS vulnerability in TextHTML plugin by sanitizing
 HTML content

Agent-Logs-Url: https://github.com/fluentcms/FluentCMS/sessions/3dec0a96-d3c2-4c65-b9ba-866ae059056a

Co-authored-by: pournasserian <24959477+pournasserian@users.noreply.github.com>
---
 .../FluentCMS.Web.Plugins.TextHTML.csproj                | 2 +-
 .../TextHTMLViewPlugin.razor                             | 2 +-
 .../TextHTMLViewPlugin.razor.cs                          | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
index 6005e9744..9fc7a293d 100644
--- a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
+++ b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
@@ -29,6 +29,6 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="HtmlSanitizer" Version="8.1.870" />
+    <PackageReference Include="HtmlSanitizer" Version="9.0.892" />
   </ItemGroup>
 </Project>
diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor
index eb73b6e32..33f35c177 100644
--- a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor
+++ b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor
@@ -10,7 +10,7 @@
     else
     {
         <div class="f-html-content">
-            @((MarkupString)Item.Content)
+            @((MarkupString)_sanitizedContent)
         </div>
     }
 }
diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs
index e1be86e55..a18041209 100644
--- a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs
+++ b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs
@@ -1,9 +1,14 @@
+using Ganss.Xss;
+
 namespace FluentCMS.Web.Plugins.TextHTML;
 
 public partial class TextHTMLViewPlugin
 {
     private const string CONTENT_TYPE_NAME = nameof(TextHTMLContent);
     private TextHTMLContent? Item { get; set; }
+    private static readonly HtmlSanitizer Sanitizer = new();
+
+    private string _sanitizedContent = string.Empty;
 
     private async Task UpdateContent(string content)
     {
@@ -11,6 +16,7 @@ private async Task UpdateContent(string content)
             return;
 
         Item.Content = content;
+        _sanitizedContent = Sanitizer.Sanitize(Item.Content);
         await ApiClient.PluginContent.UpdateAsync(CONTENT_TYPE_NAME, Plugin.Id, Item.Id, Item.ToDictionary());
     }
 
@@ -27,7 +33,10 @@ protected override async Task OnInitializedAsync()
             var response = await ApiClient.PluginContent.GetAllAsync(CONTENT_TYPE_NAME, Plugin.Id);
 
             if (response?.Data != null && response.Data.ToContentList<TextHTMLContent>().Count != 0)
+            {
                 Item = response.Data.ToContentList<TextHTMLContent>().FirstOrDefault() ?? default!;
+                _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
+            }
         }
     }
 }