server/utils/sanitization.ts

import { stringifyEntitiesLight } from "stringify-entities";
import xss, { type IFilterXSSOptions } from "xss";

export const sanitizedHtmlStrip = (html: string): Promise<string> => {
    return sanitizeHtml(html, {
        whiteList: {},
    });
};

export const sanitizeHtmlInline = (
    html: string,
    extraConfig?: IFilterXSSOptions,
): Promise<string> => {
    return sanitizeHtml(html, {
        whiteList: {
            a: ["href", "title", "target", "rel", "class"],
            p: ["class"],
            b: ["class"],
            i: ["class"],
            em: ["class"],
            strong: ["class"],
            del: ["class"],
            u: ["class"],
            font: ["color", "size", "face", "class"],
            strike: ["class"],
            mark: ["class"],
            small: ["class"],
        },
        ...extraConfig,
    });
};

export const sanitizeHtml = async (
    html: string,
    extraConfig?: IFilterXSSOptions,
): Promise<string> => {
    const sanitizedHtml = xss(html, {
        whiteList: {
            a: ["href", "title", "target", "rel", "class"],
            p: ["class"],
            br: ["class"],
            b: ["class"],
            i: ["class"],
            em: ["class"],
            strong: ["class"],
            del: ["class"],
            code: ["class"],
            u: ["class"],
            pre: ["class"],
            ul: ["class"],
            ol: ["class"],
            li: ["class"],
            blockquote: ["class"],
            h1: ["class"],
            h2: ["class"],
            h3: ["class"],
            h4: ["class"],
            h5: ["class"],
            h6: ["class"],
            img: ["src", "alt", "title", "class"],
            font: ["color", "size", "face", "class"],
            table: ["class"],
            tr: ["class"],
            td: ["class"],
            th: ["class"],
            tbody: ["class"],
            thead: ["class"],
            tfoot: ["class"],
            hr: ["class"],
            strike: ["class"],
            figcaption: ["class"],
            figure: ["class"],
            mark: ["class"],
            summary: ["class"],
            details: ["class"],
            caption: ["class"],
            small: ["class"],
            video: ["class", "src", "controls"],
            audio: ["class", "src", "controls"],
            source: ["src", "type"],
            track: ["src", "label", "kind"],
            input: ["type", "checked", "disabled", "class"],
        },
        stripIgnoreTag: false,
        escapeHtml: (unsafeHtml): string =>
            stringifyEntitiesLight(unsafeHtml, {
                escapeOnly: true,
            }),
        ...extraConfig,
    });

    // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
    const allowedClasses = [
        "h-",
        "p-",
        "u-",
        "dt-",
        "e-",
        "mention",
        "hashtag",
        "ellipsis",
        "invisible",
        "task-list-item-checkbox",
    ];

    return await new HTMLRewriter()
        .on("*[class]", {
            element(element): void {
                const classes = element.getAttribute("class")?.split(" ") ?? [];

                for (const className of classes) {
                    if (
                        !allowedClasses.some((allowedClass) =>
                            className.startsWith(allowedClass),
                        )
                    ) {
                        element.removeAttribute("class");
                    }
                }
            },
        })
        // Only allow disabled checkbox input
        .on("input", {
            element(element): void {
                if (element.getAttribute("type") === "checkbox") {
                    element.setAttribute("disabled", "");
                } else {
                    element.remove();
                }
            },
        })
        .transform(new Response(sanitizedHtml))
        .text();
};
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`import { stringifyEntitiesLight } from "stringify-entities";`
feat(api): :lock: Make all media be proxied through an internal proxy 2024-05-05 07:13:23 +02:00			`import xss, { type IFilterXSSOptions } from "xss";`
fix(build): :bug: aaa 2024-05-03 02:44:49 +02:00
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`export const sanitizedHtmlStrip = (html: string): Promise<string> => {`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`return sanitizeHtml(html, {`
			`whiteList: {},`
			`});`
			`};`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
refactor: :rotating_light: Turn every linter rule on and fix issues (there were a LOT :3) 2024-06-13 04:26:43 +02:00			`export const sanitizeHtmlInline = (`
feat(api): :sparkles: Allow more HTML tags in Markdown 2024-05-12 03:27:19 +02:00			`html: string,`
			`extraConfig?: IFilterXSSOptions,`
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`): Promise<string> => {`
feat(api): :sparkles: Allow more HTML tags in Markdown 2024-05-12 03:27:19 +02:00			`return sanitizeHtml(html, {`
			`whiteList: {`
			`a: ["href", "title", "target", "rel", "class"],`
			`p: ["class"],`
			`b: ["class"],`
			`i: ["class"],`
			`em: ["class"],`
			`strong: ["class"],`
			`del: ["class"],`
			`u: ["class"],`
			`font: ["color", "size", "face", "class"],`
			`strike: ["class"],`
			`mark: ["class"],`
			`small: ["class"],`
			`},`
			`...extraConfig,`
			`});`
			`};`

fix: :art: Switch from happy-dom to jsdom for HTML sanitization 2024-05-03 01:53:10 +02:00			`export const sanitizeHtml = async (`
			`html: string,`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`extraConfig?: IFilterXSSOptions,`
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`): Promise<string> => {`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`const sanitizedHtml = xss(html, {`
			`whiteList: {`
			`a: ["href", "title", "target", "rel", "class"],`
			`p: ["class"],`
			`br: ["class"],`
			`b: ["class"],`
			`i: ["class"],`
			`em: ["class"],`
			`strong: ["class"],`
			`del: ["class"],`
			`code: ["class"],`
			`u: ["class"],`
			`pre: ["class"],`
			`ul: ["class"],`
			`ol: ["class"],`
			`li: ["class"],`
			`blockquote: ["class"],`
feat(api): :sparkles: Allow more HTML tags in Markdown 2024-05-12 03:27:19 +02:00			`h1: ["class"],`
			`h2: ["class"],`
			`h3: ["class"],`
			`h4: ["class"],`
			`h5: ["class"],`
			`h6: ["class"],`
			`img: ["src", "alt", "title", "class"],`
			`font: ["color", "size", "face", "class"],`
			`table: ["class"],`
			`tr: ["class"],`
			`td: ["class"],`
			`th: ["class"],`
			`tbody: ["class"],`
			`thead: ["class"],`
			`tfoot: ["class"],`
			`hr: ["class"],`
			`strike: ["class"],`
			`figcaption: ["class"],`
			`figure: ["class"],`
			`mark: ["class"],`
			`summary: ["class"],`
			`details: ["class"],`
			`caption: ["class"],`
			`small: ["class"],`
			`video: ["class", "src", "controls"],`
			`audio: ["class", "src", "controls"],`
			`source: ["src", "type"],`
			`track: ["src", "label", "kind"],`
feat(api): :sparkles: Allow disabled checkbox inputs in rich text 2024-11-19 11:20:24 +01:00			`input: ["type", "checked", "disabled", "class"],`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`},`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`stripIgnoreTag: false,`
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`escapeHtml: (unsafeHtml): string =>`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`stringifyEntitiesLight(unsafeHtml, {`
			`escapeOnly: true,`
			`}),`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`...extraConfig,`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`});`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`// Check text to only allow h-, p-, u-, dt-, e-*, mention, hashtag, ellipsis, invisible classes`
			`const allowedClasses = [`
			`"h-",`
			`"p-",`
			`"u-",`
			`"dt-",`
			`"e-",`
			`"mention",`
			`"hashtag",`
			`"ellipsis",`
			`"invisible",`
feat(api): :sparkles: Allow disabled checkbox inputs in rich text 2024-11-19 11:20:24 +01:00			`"task-list-item-checkbox",`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`return await new HTMLRewriter()`
			`.on("*[class]", {`
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`element(element): void {`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`const classes = element.getAttribute("class")?.split(" ") ?? [];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`for (const className of classes) {`
			`if (`
			`!allowedClasses.some((allowedClass) =>`
			`className.startsWith(allowedClass),`
			`)`
			`) {`
			`element.removeAttribute("class");`
			`}`
			`}`
			`},`
			`})`
feat(api): :sparkles: Allow disabled checkbox inputs in rich text 2024-11-19 11:20:24 +01:00			`// Only allow disabled checkbox input`
			`.on("input", {`
			`element(element): void {`
fix(api): :bug: Correctly sanitize checkbox inputs 2024-11-19 11:32:16 +01:00			`if (element.getAttribute("type") === "checkbox") {`
			`element.setAttribute("disabled", "");`
			`} else {`
			`element.remove();`
feat(api): :sparkles: Allow disabled checkbox inputs in rich text 2024-11-19 11:20:24 +01:00			`}`
			`},`
			`})`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`.transform(new Response(sanitizedHtml))`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`.text();`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00			`};`