fix(voyage): sanitize bodyHtml via DOMPurify in renderArtifact (1d3591d4)

plugins/voyage/playground/voyage-playground.html

@@ -1248,6 +1248,13 @@ playground first-run shows a complete round-trip-able artifact.
         // v4.3 Step 25 — strip unsafe HTML-comments before markdown-it sees them.
         var safeText = stripUnsafeComments(text || '');
         var bodyHtml = md.render(safeText);
+        // v4.3 Step 1 — defense in depth: sanitize bodyHtml via DOMPurify
+        // (finding 1d3591d4). Applied to bodyHtml ONLY — fmHtml uses our
+        // own escapeHtml() on capturedFrontmatter and intentional
+        // <details>/<summary> markup that DOMPurify would otherwise strip.
+        var safeBody = (typeof window !== 'undefined' && window.DOMPurify && typeof window.DOMPurify.sanitize === 'function')
+          ? window.DOMPurify.sanitize(bodyHtml, { USE_PROFILES: { html: true } })
+          : escapeHtml(bodyHtml);
         // Pre-render-then-wrap for <details>: prepend a folded frontmatter
         // <details> block at the top if the front-matter plugin captured one.
         var fmHtml = '';
@@ -1255,7 +1262,7 @@ playground first-run shows a complete round-trip-able artifact.
           fmHtml = '<details><summary>Frontmatter</summary><pre><code>' +
             escapeHtml(capturedFrontmatter) + '</code></pre></details>';
         }
-        return fmHtml + bodyHtml;
+        return fmHtml + safeBody;
       }
 
       function escapeHtml(s) {