PostGrid API Security Flaw: Unfiltered HTML Injection Risks Physical Postcard Abuse

A critical security vulnerability in the PostGrid integration code allows unvalidated user HTML to be printed directly onto physical postcards. The flaw, identified in the backend's postcard and draft handling routes, passes raw `frontHTML` and `backHTML` from user requests directly to the PostGrid API without sanitization. While the `message` field is properly cleaned using DOMPurify, the HTML fields are not, creating a direct path for injection.

The vulnerability is present in two key locations: `backend/src/routes/postcards.ts` (lines 177-183) and `backend/src/routes/drafts.ts` (lines 250-275). In the drafts route, the unsanitized HTML from a saved draft is sent to PostGrid upon publication. This oversight means an attacker could embed arbitrary HTML and JavaScript code that PostGrid's system would render and physically print.

The primary impact is a content injection vulnerability that enables financial abuse. A malicious actor could exploit this to generate postcards with injected content, directly wasting real money on fraudulent or abusive mailings. The fix requires applying the same DOMPurify sanitization already used for the `message` field to the `frontHTML` and `backHTML` parameters before any API call to PostGrid.