Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML

### Impact A stored cross-site scripting (XSS) vulnerability affected entry summary rendering in Sveltia CMS. Entry summaries that allowed limited Markdown were parsed, sanitized, and then HTML entities were decoded. This order allowed specially crafted entity-encoded HTML, such as encoded tags or event handler attributes, to become active HTML after sanitization. When the resulting summary was rendered in the CMS UI, arbitrary JavaScript could execute in the browser of a user viewing the affected entry list or search result. The practical impact is limited in currently supported Sveltia CMS usage because the CMS is intended for a single developer or a small trusted team, and [open authoring](https://sveltiacms.app/en/docs/workflows/open) / untrusted multi-user authoring is not currently implemented. Exploitation requires the ability to place malicious content into the repository or content source that the CMS loads. ### Patches The issue has been patched by changing entry summary sanitization so that HTML entity decoding happens before sanitization for Markdown-enabled summaries. This ensures any decoded HTML is processed by the sanitizer before being rendered. Users should upgrade to Sveltia CMS [v0.160.1](https://github.com/sveltia/sveltia-cms/releases/tag/v0.160.1) or later. ### Workarounds If upgrading is not immediately possible, avoid loading CMS content from untrusted authors and review content for entity-encoded HTML payloads in fields used by entry summaries. Administrators can also reduce exposure by avoiding Markdown-enabled summary rendering for untrusted content where possible, or by ensuring repository write access is limited to trusted users only. ### Resources - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - https://cwe.mitre.org/data/definitions/79.html