From 608c5d131726641a66fa82d23b6375f586918ae8 Mon Sep 17 00:00:00 2001
From: Hisham Bin Ateya <hishamco_2007@yahoo.com>
Date: Mon, 25 May 2026 20:48:57 +0300
Subject: [PATCH 1/2] Use HtmlSanitizer in NewsItemApiController

---
 .../Areas/News/Controllers/NewsItemApiController.cs    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/Modules/SimplCommerce.Module.News/Areas/News/Controllers/NewsItemApiController.cs b/src/Modules/SimplCommerce.Module.News/Areas/News/Controllers/NewsItemApiController.cs
index 73ff74ca50..6f4e603711 100644
--- a/src/Modules/SimplCommerce.Module.News/Areas/News/Controllers/NewsItemApiController.cs
+++ b/src/Modules/SimplCommerce.Module.News/Areas/News/Controllers/NewsItemApiController.cs
@@ -2,6 +2,7 @@
 using System.IO;
 using System.Linq;
 using System.Threading.Tasks;
+using Ganss.Xss;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
@@ -27,6 +28,7 @@ public class NewsItemApiController : Controller
         private readonly INewsItemService _newsItemService;
         private readonly IMediaService _mediaService;
         private readonly IWorkContext _workContext;
+        private readonly HtmlSanitizer _htmlSanitizer = new();
 
         public NewsItemApiController(IRepository<NewsItem> newsItemRepository, INewsItemService newsItemService, IMediaService mediaService, IWorkContext workContext)
         {
@@ -127,8 +129,8 @@ public async Task<IActionResult> Post(NewsItemForm model)
                 MetaTitle = model.MetaTitle,
                 MetaKeywords = model.MetaKeywords,
                 MetaDescription = model.MetaDescription,
-                ShortContent = model.ShortContent,
-                FullContent = model.FullContent,
+                ShortContent = _htmlSanitizer.Sanitize(model.ShortContent),
+                FullContent = _htmlSanitizer.Sanitize(model.FullContent),
                 IsPublished = model.IsPublished,
                 CreatedBy = currentUser,
                 LatestUpdatedBy = currentUser
@@ -172,8 +174,8 @@ public async Task<IActionResult> Put(long id, NewsItemForm model)
             newsItem.MetaTitle = model.MetaTitle;
             newsItem.MetaKeywords = model.MetaKeywords;
             newsItem.MetaDescription = model.MetaDescription;
-            newsItem.ShortContent = model.ShortContent;
-            newsItem.FullContent = model.FullContent;
+            newsItem.ShortContent = _htmlSanitizer.Sanitize(model.ShortContent);
+            newsItem.FullContent = _htmlSanitizer.Sanitize(model.FullContent);
             newsItem.IsPublished = model.IsPublished;
             newsItem.LatestUpdatedOn = DateTimeOffset.Now;
             newsItem.LatestUpdatedBy = currentUser;

From 15f5030d49ffc4c5f3befbb593a45f7d7a3d00e2 Mon Sep 17 00:00:00 2001
From: Hisham Bin Ateya <hishamco_2007@yahoo.com>
Date: Mon, 25 May 2026 21:05:10 +0300
Subject: [PATCH 2/2] Add missing reference

---
 .../SimplCommerce.Module.News.csproj                          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Modules/SimplCommerce.Module.News/SimplCommerce.Module.News.csproj b/src/Modules/SimplCommerce.Module.News/SimplCommerce.Module.News.csproj
index 36153835d5..21baafb1d2 100644
--- a/src/Modules/SimplCommerce.Module.News/SimplCommerce.Module.News.csproj
+++ b/src/Modules/SimplCommerce.Module.News/SimplCommerce.Module.News.csproj
@@ -8,6 +8,10 @@
     <EmbeddedResource Include="bundleconfig.json" />
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Include="HtmlSanitizer" Version="9.0.892" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\..\SimplCommerce.Infrastructure\SimplCommerce.Infrastructure.csproj" />
     <ProjectReference Include="..\SimplCommerce.Module.Core\SimplCommerce.Module.Core.csproj" />