merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454 Closes #447 Approved-by: Ember <acomputerdog@gmail.com> Approved-by: Marie <marie@kaifa.ch>
2024-05-07 20:19:53 +00:00 · 2024-05-07 20:19:53 +00:00 · ac9e4733fd
commit ac9e4733fd
parent ed91663672 2c40dd31f3
4 changed files with 21 additions and 3 deletions
--- a/packages/frontend/src/scripts/sanitize-html.ts
+++ b/packages/frontend/src/scripts/sanitize-html.ts
@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+import original from 'sanitize-html';
+
+export default function sanitizeHtml(str: string | null): string | null {
+	if (str == null) return str;
+	return original(str, {
+		allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center', 'details', 'summary']),
+		allowedAttributes: {
+			...original.defaults.allowedAttributes,
+			a: original.defaults.allowedAttributes.a.concat(['style']),
+			img: original.defaults.allowedAttributes.img.concat(['style']),
+		},
+	});
+}