- MarkdownView: add rehype-sanitize between rehype-raw and rehype-katex
to strip scripts/event-handlers/javascript: URLs from user-authored
markdown (was stored XSS, also affected the public /pg/* route);
keep className on code/span/div so KaTeX and syntax highlighting
still work. Add rehype-sanitize ^6.0.0 to deps and lockfile.
- MarkdownContent / StandaloneMarkdownPage: parse markdown content via
parseMarkdownContent() instead of an unguarded JSON.parse, so a single
corrupt/legacy record no longer white-screens the whole page.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
