Add input sanitization and XSS protection for rich text template fields

[Smartdevs17]

Context

Email and notification templates accept rich text with HTML. Without sanitization, these fields are XSS vectors for admin users.

Current Limitation/Problem

HTML in email templates is rendered as-is. A malicious admin can inject <script> tags that execute in other admin browsers.

Expected Outcome

Server-side DOMPurify sanitization for all rich text inputs, tag/attribute allowlist, CSP headers on admin dashboard, and back-scan job for existing templates.

Acceptance Criteria

• Server-side sanitization: DOMPurify (via jsdom) on all rich text input fields
• Tag allowlist: p, span, a, img, table, tr, td, th, h1-h6, ul, ol, li, strong, em, br, hr
• Attribute allowlist: href, src, alt, style, class, target (rel=noreferrer forced on links)
• Protocol restriction: href only allows http:, https:, mailto: (reject javascript:, data:, vbscript:)
• SVGs: strip all SVG tags and attributes (common XSS vector)
• CSP headers: Content-Security-Policy on admin dashboard with script-src 'self', object-src 'none'
• Template preview: render sanitized output in preview pane before save
• Edge case: already-saved templates with malicious content (back-scan job with quarantine)

Technical Scope

• backend/shared/sanitizer/ - HTMLSanitizerService wrapping DOMPurify
• backend/shared/middleware/ - CSP header middleware
• backend/notification/domain/ - sanitize on template save
• backend/notification/jobs/ - back_scan_templates cron for existing templates
• developer-portal/ - CSP headers for admin dashboard pages

[jadonamite]

@jadonamite has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer can i work on this issue I have read your requirements and i am ready to jump on this and send out the fix for your review ASAP

ℹ️ Repo Maintainers: To accept this application, review their application or assign @jadonamite to this issue.

[supreme2580]

@supreme2580 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi can I be assigned to this issue?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @supreme2580 to this issue.

[drips-wave]

Congratulations, @jadonamite! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @jadonamite: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊