server/utils/sanitization.ts

import { config } from "config-manager";
import DOMPurify from "dompurify";
import { Window } from "happy-dom";

const window = new Window();

export const sanitizeHtml = async (
    html: string,
    extraConfig?: DOMPurify.Config,
) => {
    // @ts-expect-error Types clash but it works i swear
    const sanitizedHtml = DOMPurify(window).sanitize(html, {
        ALLOWED_TAGS: [
            "a",
            "p",
            "br",
            "b",
            "i",
            "em",
            "strong",
            "del",
            "code",
            "u",
            "pre",
            "ul",
            "ol",
            "li",
            "blockquote",
        ],
        ALLOWED_ATTR: [
            "href",
            "target",
            "title",
            "rel",
            "class",
            "start",
            "reversed",
            "value",
        ],
        ALLOWED_URI_REGEXP: new RegExp(
            `/^(?:(?:${config.validation.url_scheme_whitelist.join(
                "|",
            )}):|[^a-z]|[a-z+.-]+(?:[^a-z+.-:]|$))/i`,
        ),
        USE_PROFILES: {
            mathMl: true,
        },
        ...extraConfig,
    }) as string;

    // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
    const allowedClasses = [
        "h-",
        "p-",
        "u-",
        "dt-",
        "e-",
        "mention",
        "hashtag",
        "ellipsis",
        "invisible",
    ];

    return await new HTMLRewriter()
        .on("*[class]", {
            element(element) {
                const classes = element.getAttribute("class")?.split(" ") ?? [];

                for (const className of classes) {
                    if (
                        !allowedClasses.some((allowedClass) =>
                            className.startsWith(allowedClass),
                        )
                    ) {
                        element.removeAttribute("class");
                    }
                }
            },
        })
        .transform(new Response(sanitizedHtml))
        .text();
};
Replace config manager with unjs/c12 2024-04-07 06:16:54 +02:00			`import { config } from "config-manager";`
fix(api): :ambulance: Replace isomorphic-dompurify with plain jsdom and dompurify 2024-05-03 02:21:09 +02:00			`import DOMPurify from "dompurify";`
fix(build): :bug: aaa 2024-05-03 02:44:49 +02:00			`import { Window } from "happy-dom";`

			`const window = new Window();`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
fix: :art: Switch from happy-dom to jsdom for HTML sanitization 2024-05-03 01:53:10 +02:00			`export const sanitizeHtml = async (`
			`html: string,`
			`extraConfig?: DOMPurify.Config,`
			`) => {`
fix(build): :bug: aaa 2024-05-03 02:44:49 +02:00			`// @ts-expect-error Types clash but it works i swear`
			`const sanitizedHtml = DOMPurify(window).sanitize(html, {`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`ALLOWED_TAGS: [`
			`"a",`
			`"p",`
			`"br",`
			`"b",`
			`"i",`
			`"em",`
			`"strong",`
			`"del",`
			`"code",`
			`"u",`
			`"pre",`
			`"ul",`
			`"ol",`
			`"li",`
			`"blockquote",`
			`],`
			`ALLOWED_ATTR: [`
			`"href",`
			`"target",`
			`"title",`
			`"rel",`
			`"class",`
			`"start",`
			`"reversed",`
			`"value",`
			`],`
			`ALLOWED_URI_REGEXP: new RegExp(`
			`/^(?:(?:${config.validation.url_scheme_whitelist.join(
			`"\|",`
			)}):\|[^a-z]\|[a-z+.-]+(?:[^a-z+.-:]\|$))/i`,
			`),`
			`USE_PROFILES: {`
			`mathMl: true,`
			`},`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`...extraConfig,`
			`}) as string;`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`// Check text to only allow h-, p-, u-, dt-, e-*, mention, hashtag, ellipsis, invisible classes`
			`const allowedClasses = [`
			`"h-",`
			`"p-",`
			`"u-",`
			`"dt-",`
			`"e-",`
			`"mention",`
			`"hashtag",`
			`"ellipsis",`
			`"invisible",`
			`];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`return await new HTMLRewriter()`
			`.on("*[class]", {`
			`element(element) {`
			`const classes = element.getAttribute("class")?.split(" ") ?? [];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`for (const className of classes) {`
			`if (`
			`!allowedClasses.some((allowedClass) =>`
			`className.startsWith(allowedClass),`
			`)`
			`) {`
			`element.removeAttribute("class");`
			`}`
			`}`
			`},`
			`})`
			`.transform(new Response(sanitizedHtml))`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`.text();`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00			`};`