0xAlchemist

Hi @Supabase team, Im submitting this as a security inquiry regarding potential XSS risks in the way Changelog content (and other pages rendering discussions) is displayed. I want to ensure responsible testing and would like guidance on how to proceed safely For context, here’s the trust chain I’m examining: - User input: a GitHub user submits Markdown content via a discussion - GitHub API: the discussion content is fetched; GitHub sanitizes some content but returns Markdown/HTML - MDX pipeline: Supabase uses mdxSerialize -> MDXRemote to render the content - Page output (sink): the rendered content appears on supabase.com pages like the Changelog or blog posts This forms a trust chain: external input flows through several layers before being rendered in the browser so a vulnerability here could be exploited if any layer fails to properly sanitize or escape content I’d like to understand if this flow has been considered and whether there’s a safe environment where I can test it responsibly Thank you for your guidance!