server/utils/sanitization.ts

import { stringifyEntitiesLight } from "stringify-entities";
import xss, { type IFilterXSSOptions } from "xss";

export const sanitizedHtmlStrip = (html: string) => {
    return sanitizeHtml(html, {
        whiteList: {},
    });
};

export const sanitizeHtml = async (
    html: string,
    extraConfig?: IFilterXSSOptions,
) => {
    const sanitizedHtml = xss(html, {
        whiteList: {
            a: ["href", "title", "target", "rel", "class"],
            p: ["class"],
            br: ["class"],
            b: ["class"],
            i: ["class"],
            em: ["class"],
            strong: ["class"],
            del: ["class"],
            code: ["class"],
            u: ["class"],
            pre: ["class"],
            ul: ["class"],
            ol: ["class"],
            li: ["class"],
            blockquote: ["class"],
        },
        stripIgnoreTag: false,
        escapeHtml: (unsafeHtml) =>
            stringifyEntitiesLight(unsafeHtml, {
                escapeOnly: true,
            }),
        ...extraConfig,
    });

    // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
    const allowedClasses = [
        "h-",
        "p-",
        "u-",
        "dt-",
        "e-",
        "mention",
        "hashtag",
        "ellipsis",
        "invisible",
    ];

    return await new HTMLRewriter()
        .on("*[class]", {
            element(element) {
                const classes = element.getAttribute("class")?.split(" ") ?? [];

                for (const className of classes) {
                    if (
                        !allowedClasses.some((allowedClass) =>
                            className.startsWith(allowedClass),
                        )
                    ) {
                        element.removeAttribute("class");
                    }
                }
            },
        })
        .transform(new Response(sanitizedHtml))
        .text();
};
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`import { stringifyEntitiesLight } from "stringify-entities";`
feat(api): :lock: Make all media be proxied through an internal proxy 2024-05-05 07:13:23 +02:00			`import xss, { type IFilterXSSOptions } from "xss";`
fix(build): :bug: aaa 2024-05-03 02:44:49 +02:00
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`export const sanitizedHtmlStrip = (html: string) => {`
			`return sanitizeHtml(html, {`
			`whiteList: {},`
			`});`
			`};`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
fix: :art: Switch from happy-dom to jsdom for HTML sanitization 2024-05-03 01:53:10 +02:00			`export const sanitizeHtml = async (`
			`html: string,`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`extraConfig?: IFilterXSSOptions,`
fix: :art: Switch from happy-dom to jsdom for HTML sanitization 2024-05-03 01:53:10 +02:00			`) => {`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`const sanitizedHtml = xss(html, {`
			`whiteList: {`
			`a: ["href", "title", "target", "rel", "class"],`
			`p: ["class"],`
			`br: ["class"],`
			`b: ["class"],`
			`i: ["class"],`
			`em: ["class"],`
			`strong: ["class"],`
			`del: ["class"],`
			`code: ["class"],`
			`u: ["class"],`
			`pre: ["class"],`
			`ul: ["class"],`
			`ol: ["class"],`
			`li: ["class"],`
			`blockquote: ["class"],`
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`},`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`stripIgnoreTag: false,`
			`escapeHtml: (unsafeHtml) =>`
			`stringifyEntitiesLight(unsafeHtml, {`
			`escapeOnly: true,`
			`}),`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`...extraConfig,`
refactor(api): :package: Change sanitizer from DOMPurify to xss 2024-05-03 05:20:24 +02:00			`});`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`// Check text to only allow h-, p-, u-, dt-, e-*, mention, hashtag, ellipsis, invisible classes`
			`const allowedClasses = [`
			`"h-",`
			`"p-",`
			`"u-",`
			`"dt-",`
			`"e-",`
			`"mention",`
			`"hashtag",`
			`"ellipsis",`
			`"invisible",`
			`];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`return await new HTMLRewriter()`
			`.on("*[class]", {`
			`element(element) {`
			`const classes = element.getAttribute("class")?.split(" ") ?? [];`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00
Replace eslint and prettier with Biome 2024-04-07 07:30:49 +02:00			`for (const className of classes) {`
			`if (`
			`!allowedClasses.some((allowedClass) =>`
			`className.startsWith(allowedClass),`
			`)`
			`) {`
			`element.removeAttribute("class");`
			`}`
			`}`
			`},`
			`})`
			`.transform(new Response(sanitizedHtml))`
feat(api): :sparkles: Reimplement HTML sanitization 2024-05-03 01:25:32 +02:00			`.text();`
Add sanitization to HTML 2023-10-17 00:03:29 +02:00			`};`