Security

Improved XSS protection in post content

We've strengthened our cross-site scripting (XSS) protection for all post content.

What changed

HTML content is now sanitized through a strict allowlist before rendering on public pages:

Allowed tags

h1, h2, h3, p, a, strong, em, code, pre,
ul, ol, li, blockquote, img, hr, br, table,
thead, tbody, tr, th, td, del

Stripped automatically

  • <script> tags and inline event handlers (onclick, onerror, etc.)

  • javascript: protocol in links

  • Inline style attributes (except safe properties like text-align)

  • <iframe>, <object>, <embed> tags

Content Security Policy

We also tightened CSP headers:

Content-Security-Policy: default-src 'self'; script-src 'self' widget.pushlog.dev

These changes protect your readers while preserving all legitimate formatting. The editor experience is unchanged.

Back to changelog
Improved XSS protection in post content | pushlog Changelog