Critical Stored XSS in Shared Notes via Unsecured rehype-raw Markdown Rendering

A critical stored cross-site scripting (XSS) vulnerability has been identified in the note-sharing feature, stemming from the unsafe rendering of raw HTML in markdown. The `Preview` component uses the `rehype-raw` plugin to process markdown but crucially lacks the `rehype-sanitize` plugin, allowing malicious HTML to be executed in a victim's browser. This flaw is located in `packages/client/src/components/Preview/Preview.tsx`.

The exploit chain is direct and dangerous. An attacker (User A) can create a note containing a malicious HTML payload, such as a script disguised in an image tag. When this note is shared with another user (User B), the victim's browser renders the note in preview mode, executing the attacker's JavaScript within the victim's authenticated session. This enables the attacker to steal session tokens, perform unauthorized actions on behalf of the victim, and exfiltrate sensitive data from the application.

The absence of input sanitization in a core rendering pipeline for a sharing feature represents a severe security oversight. This vulnerability exposes all users of the shared notes functionality to session hijacking and data theft. The immediate remediation is to integrate the `rehype-sanitize` plugin into the rehype processing chain within the `Preview.tsx` component to strip dangerous HTML before rendering.