From 171897849f8d5b5fffe85940989eb1e445dc37aa Mon Sep 17 00:00:00 2001
From: Charity Helms <chelms@adobe.com>
Date: Sun, 22 Feb 2026 16:19:27 -0500
Subject: [PATCH] added sanitizeHTML from DOMpurity

---
 blocks/embed/embed.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/blocks/embed/embed.js b/blocks/embed/embed.js
index 26efe0ad..3adb3871 100644
--- a/blocks/embed/embed.js
+++ b/blocks/embed/embed.js
@@ -4,6 +4,11 @@
  * https://www.hlx.live/developer/block-collection/embed
  */
 
+import { sanitizeHTML } from '../../scripts/scripts.js';
+
+/* eslint-disable secure-coding/no-improper-sanitization --
+sanitizeHTML uses DOMPurify via the import from scripts.js which linting can't see */
+
 const loadScript = (url, callback, type) => {
   const head = document.querySelector('head');
   const script = document.createElement('script');
@@ -80,10 +85,10 @@ const loadEmbed = (block, link, autoplay) => {
   const config = EMBEDS_CONFIG.find((e) => e.match.some((match) => link.includes(match)));
   const url = new URL(link);
   if (config) {
-    block.innerHTML = config.embed(url, autoplay);
+    block.innerHTML = sanitizeHTML(config.embed(url, autoplay));
     block.classList = `block embed embed-${config.match[0]}`;
   } else {
-    block.innerHTML = getDefaultEmbed(url);
+    block.innerHTML = sanitizeHTML(getDefaultEmbed(url));
     block.classList = 'block embed';
   }
   block.classList.add('embed-is-loaded');
@@ -97,7 +102,7 @@ export default function decorate(block) {
   if (placeholder) {
     const wrapper = document.createElement('div');
     wrapper.className = 'embed-placeholder';
-    wrapper.innerHTML = '<div class="embed-placeholder-play"><button type="button" title="Play"></button></div>';
+    wrapper.innerHTML = sanitizeHTML('<div class="embed-placeholder-play"><button type="button" title="Play"></button></div>');
     wrapper.prepend(placeholder);
     wrapper.addEventListener('click', () => {
       loadEmbed(block, link, true);