LearnSpace: full-stack educational whiteboard platform

Node.js/Express backend + vanilla JS frontend.
Features: real-time collaborative whiteboard (SSE), multi-page support,
LaTeX formulas, shapes/connectors, coordinate systems, number lines,
compass, zoom/pan, Catmull-Rom pencil smoothing, ruler/protractor with
rotation & resize controls, minimap navigation overlay, auto-measurements,
multi-page thumbnails sidebar, PNG export, page templates.
Student/teacher workflows: classes, assignments, library, dashboard.
Mobile responsive. SQLite (better-sqlite3).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/utils/sanitize.js

@@ -0,0 +1,27 @@
+/* ── Shared input sanitization ────────────────────────────────────────── */
+
+/**
+ * Strip HTML tags from a string.
+ * Use on user-supplied text that will be stored or rendered.
+ */
+function stripTags(str) {
+  if (typeof str !== 'string') return str;
+  let s = str;
+  let prev;
+  do { prev = s; s = s.replace(/<[^>]*>?/g, ''); } while (s !== prev);
+  return s.trim();
+}
+
+/**
+ * Sanitize an object's string fields in-place.
+ * @param {object} obj
+ * @param {string[]} fields — keys to sanitize
+ */
+function sanitizeFields(obj, fields) {
+  for (const f of fields) {
+    if (typeof obj[f] === 'string') obj[f] = stripTags(obj[f]);
+  }
+  return obj;
+}
+
+module.exports = { stripTags, sanitizeFields };