Stored Cross-Site Scripting (XSS) in SimplCommerce News Module Admin Interface

An authenticated administrator sends a POST or PUT request to the news item API endpoint with malicious JavaScript embedded in the `ShortContent` or `FullContent` fields. The server stores the unsanitized payload in the database. When any user (including other administrators or visitors) views the news item, the view renders the content using `@Html.Raw()`, which emits the raw HTML without encoding, causing the attacker's script to execute in the victim's browser. The attack requires an admin account but no special network position beyond HTTP access to the API.

The vulnerability resides in `NewsItemApiController` (`src/Modules/SimplCommerce.Module.News/Areas/News/Controllers/NewsItemApiController.cs`). The `Post` and `Put` actions assign `model.ShortContent` and `model.FullContent` directly to the entity without sanitization, and the stored values are later rendered via `@Html.Raw()` in views, enabling stored XSS.

The patch adds a reference to the `Ganss.Xss` namespace and instantiates an `HtmlSanitizer` instance in the controller. In both the `Post` and `Put` methods, the `ShortContent` and `FullContent` values are now passed through `_htmlSanitizer.Sanitize()` before being stored. This strips or encodes dangerous HTML elements and attributes, preventing malicious script injection while preserving safe markup. The companion commit [patch_id=6351302] adds the `HtmlSanitizer` NuGet package dependency to the project file.