# Issue #201: Enhance WikiLink XSS protection

## Objective

Add comprehensive XSS validation for wiki-style links [[link]] to prevent all attack vectors.

## Current State

- WikiLinkRenderer already has basic XSS protection:
  - Validates slug format with regex
  - Escapes HTML in display text
  - Has 1 XSS test for script tags
- Need to enhance with comprehensive attack vector testing

## Attack Vectors to Test

1. `[[javascript:alert(1)|Click here]]` - JavaScript URLs in slug
2. `[[data:text/html,<script>alert(1)</script>|Link]]` - Data URLs in slug
3. `[[valid-link|<img src=x onerror=alert(1)>]]` - Event handlers in display text
4. `[[valid-link|<iframe src=evil.com>]]` - Iframe injection in display text
5. `[[<script>alert(1)</script>|text]]` - Script in slug
6. `[[vbscript:alert(1)|text]]` - VBScript URLs
7. HTML entity bypass attempts

## Implementation Plan

- [x] Create scratchpad
- [x] Add comprehensive XSS tests (TDD) - 11 new tests
- [x] Enhance slug validation
- [x] Enhance display text sanitization
- [x] Verify all tests pass (25/25 passing)
- [x] Check 85%+ coverage
- [x] Type checking passing
- [x] Commit and close issue

## Changes Made

### WikiLinkRenderer.tsx

- Imported DOMPurify
- Added `isValidWikiLinkSlug()` function:
  - Rejects empty slugs
  - Blocks dangerous protocols (javascript:, data:, vbscript:, file:, about:, blob:)
  - Blocks URL-encoded dangerous protocols
  - Blocks HTML tags in slugs
  - Blocks HTML entities in slugs
  - Only allows safe characters: a-z, A-Z, 0-9, -, \_, ., /
- Enhanced `parseWikiLinks()` to use DOMPurify for display text:
  - ALLOWED_TAGS: [] (no HTML allowed)
  - KEEP_CONTENT: true (preserves text content)
  - Completely strips all HTML from display text

### WikiLinkRenderer.test.tsx

- Added 11 comprehensive XSS attack tests:
  - javascript: URLs in slug
  - data: URLs in slug
  - vbscript: URLs in slug
  - Event handlers in display text
  - iframe injection
  - script tags in slug
  - onclick handlers
  - HTML entity bypass
  - URL-encoded protocols
  - SVG with scripts
  - object/embed tags
- All 25 tests passing (14 existing + 11 new)

## Security Improvements

- Defense-in-depth: Multiple layers of validation
- Slug validation prevents malicious URLs at source
- DOMPurify removes all HTML from display text
- HTML escaping as final layer
- Comprehensive test coverage for all attack vectors

## Files to Modify

- apps/web/src/components/knowledge/WikiLinkRenderer.tsx
- apps/web/src/components/knowledge/**tests**/WikiLinkRenderer.test.tsx