From 217d3c286d8c5249b0d6a832e9f0b6e36e10111a Mon Sep 17 00:00:00 2001
From: Jesse Wierzbinski <contact@cpluspatch.com>
Date: Fri, 22 Nov 2024 19:12:52 +0100
Subject: [PATCH] feat(api): :sparkles: Allow divs and spans in HTML

---
 utils/sanitization.ts | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/utils/sanitization.ts b/utils/sanitization.ts
index a7c262d8..cd0b65fc 100644
--- a/utils/sanitization.ts
+++ b/utils/sanitization.ts
@@ -81,6 +81,8 @@ export const sanitizeHtml = async (
             source: ["src", "type"],
             track: ["src", "label", "kind"],
             input: ["type", "checked", "disabled", "class"],
+            span: ["class", "translate"],
+            div: ["class"],
         },
         stripIgnoreTag: false,
         escapeHtml: (unsafeHtml): string =>
@@ -91,12 +93,9 @@ export const sanitizeHtml = async (
     });
 
     // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
+    const allowedClassesStart = ["h-", "p-", "u-", "dt-", "e-"];
+
     const allowedClasses = [
-        "h-",
-        "p-",
-        "u-",
-        "dt-",
-        "e-",
         "mention",
         "hashtag",
         "ellipsis",
@@ -111,8 +110,10 @@ export const sanitizeHtml = async (
 
                 for (const className of classes) {
                     if (
-                        !allowedClasses.some((allowedClass) =>
-                            className.startsWith(allowedClass),
+                        !(
+                            allowedClassesStart.some((allowedClass) =>
+                                className.startsWith(allowedClass),
+                            ) && allowedClasses.includes(className)
                         )
                     ) {
                         element.removeAttribute("class");