As a platform operator, I want user/instructor-provided HTML controlled so that unsafe content cannot execute.
Acceptance criteria:
- Markdown-rendered instructions and feedback are sanitized.
- Code output is escaped unless explicitly trusted by a controlled renderer.
- Links can be restricted or opened safely.
- Feedback scripts cannot inject arbitrary host-page scripts through Markdown.
- Sanitization behavior is covered by tests.
As a platform operator, I want user/instructor-provided HTML controlled so that unsafe content cannot execute.
Acceptance criteria: