import DOMPurify from "dompurify";

const feedConfig = {
	ALLOWED_TAGS: [
		"a",
		"b",
		"i",
		"em",
		"strong",
		"u",
		"s",
		"br",
		"p",
		"span",
		"small",
		"sup",
		"sub",
		"code",
	],
	ALLOWED_ATTR: ["href", "title"],
	ALLOWED_URI_REGEXP: /^(?:https?|mailto):/i,
};

/**
 * Sanitise HTML coming from third-party RSS feeds before it reaches an `{@html}`
 * sink. Keeps the light formatting these feeds actually use (HTML entities,
 * `<i>`/`<b>`/`<a href>`) and strips anything that could inject content or
 * behaviour: `<script>`, event-handler attributes, `<iframe>`/`<meta>`/`<style>`,
 * `javascript:` URLs, and so on. Browser-only — call it from client code.
 */
export const sanitizeFeedHtml = (html: string | undefined | null): string =>
	html ? DOMPurify.sanitize(html, feedConfig) : "";