fluentcms · Copilot · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026 · Copilot
diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/FluentCMS.Web.Plugins.TextHTML.csproj
@@ -27,4 +27,8 @@
     <None Include="..\..\..\icon.png" Pack="true" PackagePath="icon.png" />
     <None Include="README.md" Pack="true" PackagePath="README.md" />
   </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="HtmlSanitizer" Version="9.0.892" />
+  </ItemGroup>
 </Project>
diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor
@@ -10,7 +10,7 @@
     else
     {
         <div class="f-html-content">
-            @((MarkupString)Item.Content)
+            @((MarkupString)_sanitizedContent)
         </div>
     }
 }
diff --git a/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs b/src/Frontend/Plugins/FluentCMS.Web.Plugins.TextHTML/TextHTMLViewPlugin.razor.cs
@@ -1,16 +1,22 @@
+using Ganss.Xss;
+
 namespace FluentCMS.Web.Plugins.TextHTML;
 
 public partial class TextHTMLViewPlugin
 {
     private const string CONTENT_TYPE_NAME = nameof(TextHTMLContent);
     private TextHTMLContent? Item { get; set; }
+    private static readonly HtmlSanitizer Sanitizer = new();
+
+    private string _sanitizedContent = string.Empty;
 
     private async Task UpdateContent(string content)
     {
         if (Item is null)
             return;
 
         Item.Content = content;
+        _sanitizedContent = Sanitizer.Sanitize(Item.Content);
-        Item.Content = content;
-        _sanitizedContent = Sanitizer.Sanitize(Item.Content);
+        var sanitized = Sanitizer.Sanitize(content);
+        Item.Content = sanitized;
+        _sanitizedContent = sanitized;
-        Item.Content = content;
-        _sanitizedContent = Sanitizer.Sanitize(Item.Content);
+        var sanitized = Sanitizer.Sanitize(content);
+        Item.Content = sanitized;
+        _sanitizedContent = sanitized;
         await ApiClient.PluginContent.UpdateAsync(CONTENT_TYPE_NAME, Plugin.Id, Item.Id, Item.ToDictionary());
     }
 
@@ -27,7 +33,10 @@ protected override async Task OnInitializedAsync()
             var response = await ApiClient.PluginContent.GetAllAsync(CONTENT_TYPE_NAME, Plugin.Id);
 
             if (response?.Data != null && response.Data.ToContentList<TextHTMLContent>().Count != 0)
+            {
                 Item = response.Data.ToContentList<TextHTMLContent>().FirstOrDefault() ?? default!;
+                _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
-            if (response?.Data != null && response.Data.ToContentList<TextHTMLContent>().Count != 0)
-            {
-                Item = response.Data.ToContentList<TextHTMLContent>().FirstOrDefault() ?? default!;
-                _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
+            if (response?.Data != null)
+            {
+                var items = response.Data.ToContentList<TextHTMLContent>();
+                if (items.Count != 0)
+                {
+                    Item = items.FirstOrDefault() ?? default!;
+                    _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
+                }
-            if (response?.Data != null && response.Data.ToContentList<TextHTMLContent>().Count != 0)
-            {
-                Item = response.Data.ToContentList<TextHTMLContent>().FirstOrDefault() ?? default!;
-                _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
+            if (response?.Data != null)
+            {
+                var items = response.Data.ToContentList<TextHTMLContent>();
+                if (items.Count != 0)
+                {
+                    Item = items.FirstOrDefault() ?? default!;
+                    _sanitizedContent = Item is not null ? Sanitizer.Sanitize(Item.Content) : string.Empty;
+                }
+            }
         }
     }
 }