What’s up everyone? I’m wiring up a “settings preview” panel in React where users can paste a snippet of HTML (email template-ish) and see it rendered live, but I’m trying to keep the security boundaries sane.
const Preview = ({ html }: { html: string }) => (
<div className="preview" dangerouslySetInnerHTML={{ __html: html }} />
);
If I need basic formatting (links, bold, lists) but want to prevent script/event-handler injection and also avoid breaking legit markup, what’s the practical approach you’d ship here (sanitize library, iframe sandbox, or something else) and why?
