2026-04-29 - HTML Content Sanitisation and MCP Token Hardening¶
Release¶
AgileData.io - Defence in Depth: Stronger Content and Token Security
Two security improvements were deployed this month to harden AgileData against injection risks and token manipulation: HTML content is now sanitised using DOMPurify before rendering, and MCP authentication tokens are now validated with a second parsing pass.
HTML sanitisation — User-contributed content that contains HTML (for example, in descriptions, annotations, or imported metadata) is now passed through DOMPurify before being rendered in the browser. DOMPurify is a well-tested open-source library that strips any potentially malicious HTML or script content while preserving safe formatting. This protects against cross-site scripting (XSS) in cases where content originates from external sources.
MCP token hardening — MCP authentication tokens are now parsed twice during validation, catching edge cases where a malformed or manipulated token might pass a single-pass check. This adds a low-cost extra layer of assurance to our MCP authentication flow.
Both changes are infrastructure-level security improvements with no visible impact on how AgileData works day-to-day.
What’s New:
DOMPurify added to sanitise all HTML content before browser rendering
MCP tokens validated with a second parse pass for stronger authentication assurance
Both improvements deployed as part of routine security hardening
What this means for you:
Stronger protection against injection-based attacks from external content
More robust MCP authentication that is harder to circumvent
No changes to how you use the platform
Last Refreshed¶
Doc Refreshed: 2026-04-29