Only the latest release receives security updates.

If you discover a security vulnerability, please report it through GitHub Security Advisories.

Please do not open a public issue for security vulnerabilities.

You can expect an initial response within 72 hours. Once confirmed, a fix will be prioritized and released as soon as possible.

This project takes security seriously:

• All rendered HTML is sanitized through DOMPurify to prevent XSS attacks
• Script tags, event handlers, JavaScript URIs, and iframes are stripped
• Safe content (KaTeX, MathML, checkboxes) is preserved through a configured allowlist