1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
import DOMPurify from "dompurify";
const feedConfig = {
ALLOWED_TAGS: [
"a",
"b",
"i",
"em",
"strong",
"u",
"s",
"br",
"p",
"span",
"small",
"sup",
"sub",
"code",
],
ALLOWED_ATTR: ["href", "title"],
ALLOWED_URI_REGEXP: /^(?:https?|mailto):/i,
};
/**
* Sanitise HTML coming from third-party RSS feeds before it reaches an `{@html}`
* sink. Keeps the light formatting these feeds actually use (HTML entities,
* `<i>`/`<b>`/`<a href>`) and strips anything that could inject content or
* behaviour: `<script>`, event-handler attributes, `<iframe>`/`<meta>`/`<style>`,
* `javascript:` URLs, and so on. Browser-only — call it from client code.
*/
export const sanitizeFeedHtml = (html: string | undefined | null): string =>
html ? DOMPurify.sanitize(html, feedConfig) : "";
|