What
Three dangerouslySetInnerHTML usages flagged by semgrep:
src/app/(marketing)/blog/[slug]/page.tsx:67, 129
src/components/feature-selector.tsx:89
Today only first-party MDX is rendered through these paths → low risk. But pin a sanitiser before opening blog/feature content to community contributors.
Fix
import DOMPurify from 'isomorphic-dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />
Or migrate the MDX rendering to next-mdx-remote with a strict component allowlist (no raw HTML).
Source
Owner-self code audit on 2026-05-04. Section 2.
What
Three
dangerouslySetInnerHTMLusages flagged by semgrep:src/app/(marketing)/blog/[slug]/page.tsx:67, 129src/components/feature-selector.tsx:89Today only first-party MDX is rendered through these paths → low risk. But pin a sanitiser before opening blog/feature content to community contributors.
Fix
Or migrate the MDX rendering to
next-mdx-remotewith a strict component allowlist (no raw HTML).Source
Owner-self code audit on 2026-05-04. Section 2.