diff options
Diffstat (limited to 'src/lib/Utility/sanitizeHtml.ts')
| -rw-r--r-- | src/lib/Utility/sanitizeHtml.ts | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/lib/Utility/sanitizeHtml.ts b/src/lib/Utility/sanitizeHtml.ts new file mode 100644 index 00000000..3d0229e4 --- /dev/null +++ b/src/lib/Utility/sanitizeHtml.ts @@ -0,0 +1,32 @@ +import DOMPurify from "dompurify"; + +const feedConfig = { + ALLOWED_TAGS: [ + "a", + "b", + "i", + "em", + "strong", + "u", + "s", + "br", + "p", + "span", + "small", + "sup", + "sub", + "code", + ], + ALLOWED_ATTR: ["href", "title"], + ALLOWED_URI_REGEXP: /^(?:https?|mailto):/i, +}; + +/** + * Sanitise HTML coming from third-party RSS feeds before it reaches an `{@html}` + * sink. Keeps the light formatting these feeds actually use (HTML entities, + * `<i>`/`<b>`/`<a href>`) and strips anything that could inject content or + * behaviour: `<script>`, event-handler attributes, `<iframe>`/`<meta>`/`<style>`, + * `javascript:` URLs, and so on. Browser-only — call it from client code. + */ +export const sanitizeFeedHtml = (html: string | undefined | null): string => + html ? DOMPurify.sanitize(html, feedConfig) : ""; |