feat(api): ✨ Reimplement HTML sanitization

2026-01-26 20:26:01 +01:00 · 2024-05-02 13:25:32 -10:00 · 2024-05-02 13:25:32 -10:00 · febddc2a8b
parent cac726ac1b
commit febddc2a8b
4 changed files with 123 additions and 126 deletions
--- a/bun.lockb
+++ b/bun.lockb
--- a/package.json
+++ b/package.json
@ -77,8 +77,10 @@
    "cli-parser": "workspace:*",
    "cli-table": "^0.3.11",
    "config-manager": "workspace:*",
+    "dompurify": "^3.1.2",
    "drizzle-orm": "^0.30.7",
    "extract-zip": "^2.0.1",
+    "happy-dom": "14.5.0",
    "html-to-text": "^9.0.5",
    "ioredis": "^5.3.2",
    "ip-matching": "^2.1.2",
@ -95,7 +97,6 @@
    "markdown-it-container": "^4.0.0",
    "markdown-it-toc-done-right": "^4.2.0",
    "media-manager": "workspace:*",
-        "megalodon": "^10.0.0",
    "meilisearch": "^0.38.0",
    "mime-types": "^2.1.35",
    "oauth4webapi": "^2.4.0",
--- a/server/api/api/v1/accounts/update_credentials/index.ts
+++ b/server/api/api/v1/accounts/update_credentials/index.ts
@ -97,19 +97,10 @@ export default apiRoute<typeof meta, typeof schema>(

        const sanitizedNote = await sanitizeHtml(note ?? "");

-        const sanitizedDisplayName = display_name ?? ""; /*  sanitize(display_name ?? "", {
+        const sanitizedDisplayName = await sanitizeHtml(display_name ?? "", {
            ALLOWED_TAGS: [],
            ALLOWED_ATTR: [],
        });
- */
-        /* if (!user.source) {
-		user.source = {
-			privacy: "public",
-			sensitive: false,
-			language: "en",
-			note: "",
-		};
-	} */

        let mediaManager: MediaBackend;

--- a/utils/sanitization.ts
+++ b/utils/sanitization.ts
@ -1,10 +1,14 @@
 import { config } from "config-manager";
-// import { sanitize } from "isomorphic-dompurify";
+import type DOMPurify from "dompurify";
+import createDomPurify from "dompurify";
+import { Window } from "happy-dom";

-export const sanitizeHtml = async (html: string) => {
-    // TEMP: Allow all tags and attributes
-    return html;
-    /*     const sanitizedHtml = sanitize(html, {
+const window = new Window();
+// @ts-expect-error Mismatch between types, but they're okay i swear
+const purifier = createDomPurify(window);
+
+export const sanitizeHtml = async (html: string, extraConfig?: DOMPurify.Config) => {
+    const sanitizedHtml = purifier.sanitize(html, {
        ALLOWED_TAGS: [
            "a",
            "p",
@ -40,7 +44,8 @@ export const sanitizeHtml = async (html: string) => {
        USE_PROFILES: {
            mathMl: true,
        },
-    });
+        ...extraConfig,
+    }) as string;

    // Check text to only allow h-*, p-*, u-*, dt-*, e-*, mention, hashtag, ellipsis, invisible classes
    const allowedClasses = [
@ -72,5 +77,5 @@ export const sanitizeHtml = async (html: string) => {
            },
        })
        .transform(new Response(sanitizedHtml))
-        .text(); */
+        .text();
 };