class HtmlSanitizer
ALLOWED_TAGS = %w[p br a pre code em strong ul ol li blockquote h1 h2 h3].freeze
ALLOWED_ATTRS = %w[href title rel target].freeze
def call(html)
Sanitize.clean(html, elements: ALLOWED_TAGS, attributes: { 'a' => ALLOWED_ATTRS })
end
end
User content needs defense in depth: markdown rendering + sanitization + link attribute hygiene. Keep the allowed tags list explicit and test it. Don’t trust upstream renderers to be safe by default.
