I’ve just published a new blog post: https://www.chornonoh-vova.com/blog/xss-security-vulnerability
It was one of those situations where you technically know all the theory… but the bug still slips right past you anyway.
When all of the pieces - raw HTML from DB, dangerouslySetInnerHTML line up together - it creates such vulnerabilities 🤦♂️. Read more in the blog post.