yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-03 09:49:20 +02:00
Code Issues Releases Wiki Activity

Replace sanitize-html by dompurify in frontend

Browse source 
It's lighter and we don't have native dependencies warnings in web
browser
This commit is contained in:
Chocobozzz 2024-08-16 10:30:21 +02:00
parent 38cc3910ff
commit 16d9204ea8
No known key found for this signature in database
GPG key ID: 583A612D890159BE
7 changed files with 127 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

50
packages/core-utils/src/renderer/html.ts
View file

@ -1,11 +1,30 @@
export function getDefaultSanitizedTags () {
return [ 'a', 'p', 'span', 'br', 'strong', 'em', 'ul', 'ol', 'li' ]
}
export function getDefaultSanitizedSchemes () {
return [ 'http', 'https' ]
}
export function getDefaultSanitizedHrefAttributes () {
return [ 'href', 'class', 'target', 'rel' ]
}
// ---------------------------------------------------------------------------
// ---------------------------------------------------------------------------
// sanitize-html
// ---------------------------------------------------------------------------
export function getDefaultSanitizeOptions () {
return {
allowedTags: [ 'a', 'p', 'span', 'br', 'strong', 'em', 'ul', 'ol', 'li' ],
allowedSchemes: [ 'http', 'https' ],
allowedTags: getDefaultSanitizedTags(),
allowedSchemes: getDefaultSanitizedSchemes(),
allowedAttributes: {
'a': [ 'href', 'class', 'target', 'rel' ],
'a': getDefaultSanitizedHrefAttributes(),
'*': [ 'data-*' ]
},
transformTags: {
a: (tagName: string, attribs: any) => {
let rel = 'noopener noreferrer'
@ -29,28 +48,9 @@ export function getTextOnlySanitizeOptions () {
}
}
export function getCustomMarkupSanitizeOptions (additionalAllowedTags: string[] = []) {
const base = getDefaultSanitizeOptions()
return {
allowedTags: [
...base.allowedTags,
...additionalAllowedTags,
'div', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'img'
],
allowedSchemes: [
...base.allowedSchemes,
'mailto'
],
allowedAttributes: {
...base.allowedAttributes,
'img': [ 'src', 'alt' ],
'*': [ 'data-*', 'style' ]
}
}
}
// ---------------------------------------------------------------------------
// Manual escapes
// ---------------------------------------------------------------------------
// Thanks: https://stackoverflow.com/a/12034334
export function escapeHTML (stringParam: string) {