fix(security): sanitize notification HTML to

srijan2607 · srijan2607 · commit ef9c012af292 · 2025-12-20T04:50:45.000+05:30
prevent XSS. Closes #3123
diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -12,6 +12,7 @@
     "classnames": "^2.5.1",
     "date-fns": "^4.1.0",
     "date-fns-tz": "^3.2.0",
+    "dompurify": "^3.3.1",
     "flag-icons": "^7.2.3",
     "formik": "^2.4.6",
     "http-proxy-middleware": "^2.0.6",
diff --git a/frontend/src/components/jobs/notification/NotificationsList.jsx b/frontend/src/components/jobs/notification/NotificationsList.jsx
@@ -1,5 +1,6 @@
 import React from "react";
 import PropTypes from "prop-types";
+import DOMPurify from "dompurify";
 import {
   ListGroup,
   ListGroupItem,
@@ -43,7 +44,9 @@ export default function NotificationsList({ notifications, refetchFn }) {
           </div>
           <ListGroupItemText
             className="text-light"
-            dangerouslySetInnerHTML={{ __html: notif?.body }}
+            dangerouslySetInnerHTML={{
+              __html: DOMPurify.sanitize(notif?.body),
+            }}
           />
           <div className="d-flex">
             {notif?.read === false && (
