server/utils/sanitization.ts

import { config } from "config-manager";
// import { sanitize } from "isomorphic-dompurify";

export const sanitizeHtml = async (html: string) => {
    // TEMP: Allow all tags and attributes
    return html;
    /*     const sanitizedHtml = sanitize(html, {
        ALLOWED_TAGS: [
            "a",
            "p",
            "br",
            "b",
            "i",
            "em",
            "strong",
            "del",
            "code",
            "u",
            "pre",
            "ul",
            "ol",
            "li",
            "blockquote",
        ],
        ALLOWED_ATTR: [
            "href",
            "target",
            "title",
            "rel",
            "class",
            "start",
            "reversed",
            "value",
        ],
        ALLOWED_URI_REGEXP: new RegExp(
            `/^(?:(?:${config.validation.url_scheme_whitelist.join(
                "|",
            )}):|[^a-z]|[a-z+.-]+(?:[^a-z+.-:]|$))/i`,
        ),
        USE_PROFILES: {
            mathMl: true,
        },
    });

    // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
    const allowedClasses = [
        "h-",
        "p-",
        "u-",
        "dt-",
        "e-",
        "mention",
        "hashtag",
        "ellipsis",
        "invisible",
    ];

    return await new HTMLRewriter()
        .on("*[class]", {
            element(element) {
                const classes = element.getAttribute("class")?.split(" ") ?? [];

                for (const className of classes) {
                    if (
                        !allowedClasses.some((allowedClass) =>
                            className.startsWith(allowedClass),
                        )
                    ) {
                        element.removeAttribute("class");
                    }
                }
            },
        })
        .transform(new Response(sanitizedHtml))
        .text(); */
};
Replace config manager with unjs/c12 2024-04-07 06:16:54 +02:00			`import { config } from "config-manager";`
temporarily disable sanitization 2024-04-07 16:05:06 +02:00			`// import { sanitize } from "isomorphic-dompurify";`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
			`export const sanitizeHtml = async (html: string) => {`
temporarily disable sanitization 2024-04-07 16:05:06 +02:00			`// TEMP: Allow all tags and attributes`
			`return html;`
			`/* const sanitizedHtml = sanitize(html, {`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`ALLOWED_TAGS: [`
			`"a",`
			`"p",`
			`"br",`
			`"b",`
			`"i",`
			`"em",`
			`"strong",`
			`"del",`
			`"code",`
			`"u",`
			`"pre",`
			`"ul",`
			`"ol",`
			`"li",`
			`"blockquote",`
			`],`
			`ALLOWED_ATTR: [`
			`"href",`
			`"target",`
			`"title",`
			`"rel",`
			`"class",`
			`"start",`
			`"reversed",`
			`"value",`
			`],`
			`ALLOWED_URI_REGEXP: new RegExp(`
			`/^(?:(?:${config.validation.url_scheme_whitelist.join(
			`"\|",`
			)}):\|[^a-z]\|[a-z+.-]+(?:[^a-z+.-:]\|$))/i`,
			`),`
			`USE_PROFILES: {`
			`mathMl: true,`
			`},`
			`});`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`// Check text to only allow h-, p-, u-, dt-, e-*, mention, hashtag, ellipsis, invisible classes`
			`const allowedClasses = [`
			`"h-",`
			`"p-",`
			`"u-",`
			`"dt-",`
			`"e-",`
			`"mention",`
			`"hashtag",`
			`"ellipsis",`
			`"invisible",`
			`];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`return await new HTMLRewriter()`
			`.on("*[class]", {`
			`element(element) {`
			`const classes = element.getAttribute("class")?.split(" ") ?? [];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`for (const className of classes) {`
			`if (`
			`!allowedClasses.some((allowedClass) =>`
			`className.startsWith(allowedClass),`
			`)`
			`) {`
			`element.removeAttribute("class");`
			`}`
			`}`
			`},`
			`})`
			`.transform(new Response(sanitizedHtml))`
temporarily disable sanitization 2024-04-07 16:05:06 +02:00			`.text(); */`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00			`};`