.. _2026-04-29-html-content-security_release:

=================================================================================
2026-04-29 - HTML Content Sanitisation and MCP Token Hardening
=================================================================================

Release
==================
AgileData.io - Defence in Depth: Stronger Content and Token Security

Two security improvements were deployed this month to harden AgileData against injection risks and token manipulation: HTML content is now sanitised using DOMPurify before rendering, and MCP authentication tokens are now validated with a second parsing pass.

**HTML sanitisation** — User-contributed content that contains HTML (for example, in descriptions, annotations, or imported metadata) is now passed through DOMPurify before being rendered in the browser. DOMPurify is a well-tested open-source library that strips any potentially malicious HTML or script content while preserving safe formatting. This protects against cross-site scripting (XSS) in cases where content originates from external sources.

**MCP token hardening** — MCP authentication tokens are now parsed twice during validation, catching edge cases where a malformed or manipulated token might pass a single-pass check. This adds a low-cost extra layer of assurance to our MCP authentication flow.

Both changes are infrastructure-level security improvements with no visible impact on how AgileData works day-to-day.

**What's New:**

* DOMPurify added to sanitise all HTML content before browser rendering
* MCP tokens validated with a second parse pass for stronger authentication assurance
* Both improvements deployed as part of routine security hardening

**What this means for you:**

* Stronger protection against injection-based attacks from external content
* More robust MCP authentication that is harder to circumvent
* No changes to how you use the platform

Last Refreshed
===========================
*Doc Refreshed: 2026-04-29*