Unescaped NFT metadata in CollectionDetails.tsx
NFT metadata fields were rendered into CollectionDetails.tsx without HTML escaping, creating an injection-flavored vector if attacker-controlled metadata reached the rendering path.
Description
CollectionDetails.tsx rendered NFT metadata fields directly into the component tree without HTML escaping. Because metadata is user-controlled (NFT creators can put arbitrary content there), this provides an injection vector that downstream rendering could turn into XSS depending on the React render path.
Recommendation
Use React's default {text} interpolation (which escapes) consistently. Avoid dangerouslySetInnerHTML for any field derived from NFT metadata. For rich-content fields, sanitize with a library like DOMPurify before rendering.
Initia: Acknowledged. Pashov Audit Group: Acknowledged.