From b58ddba32858f2658e11b05bef96e21958ce8173 Mon Sep 17 00:00:00 2001
From: Fedor Katurov <gotham48@gmail.com>
Date: Wed, 24 Feb 2021 17:55:23 +0700
Subject: [PATCH] added insane to sanitize html

---
 package.json                                  |  1 +
 .../CommentTextBlock/styles.module.scss       | 20 +++----
 src/utils/dom.ts                              |  4 +-
 src/utils/formatText.ts                       |  4 +-
 src/utils/stripHTMLTags.ts                    | 60 +++++++++++++++++++
 yarn.lock                                     | 18 ++++++
 6 files changed, 93 insertions(+), 14 deletions(-)
 create mode 100644 src/utils/stripHTMLTags.ts

diff --git a/package.json b/package.json
index 8d1c21b1..7d948d3e 100644
--- a/package.json
+++ b/package.json
@@ -14,6 +14,7 @@
     "connected-react-router": "^6.5.2",
     "date-fns": "^2.4.1",
     "flexbin": "^0.2.0",
+    "insane": "^2.6.2",
     "marked": "^2.0.0",
     "node-sass": "4.14.1",
     "photoswipe": "^4.1.3",
diff --git a/src/components/comment/CommentTextBlock/styles.module.scss b/src/components/comment/CommentTextBlock/styles.module.scss
index 86b9a599..f42e2ef7 100644
--- a/src/components/comment/CommentTextBlock/styles.module.scss
+++ b/src/components/comment/CommentTextBlock/styles.module.scss
@@ -29,14 +29,14 @@
     color: $wisegreen;
   }
 
-  &:last-child {
-    p {
-      &::after {
-        content: '';
-        display: inline-flex;
-        height: 1em;
-        width: 150px;
-      }
-    }
-  }
+  //&:last-child {
+  //  p {
+  //    &::after {
+  //      content: '';
+  //      display: inline-flex;
+  //      height: 1em;
+  //      width: 150px;
+  //    }
+  //  }
+  //}
 }
diff --git a/src/utils/dom.ts b/src/utils/dom.ts
index f10d9582..34e7a44b 100644
--- a/src/utils/dom.ts
+++ b/src/utils/dom.ts
@@ -95,14 +95,14 @@ export const getURL = (file: Partial<IFile>, size?: typeof PRESETS[keyof typeof
 };
 
 export const formatText = pipe(
-  formatTextSanitizeTags,
   formatTextSanitizeYoutube,
   formatTextComments,
   formatTextTodos,
   formatExclamations,
   formatTextDash,
   formatTextMarkdown,
-  formatTextClickableUsernames
+  formatTextClickableUsernames,
+  formatTextSanitizeTags
 );
 
 export const formatTextParagraphs = (text: string): string => (text && formatText(text)) || null;
diff --git a/src/utils/formatText.ts b/src/utils/formatText.ts
index ff8e79d4..1c7aa4f9 100644
--- a/src/utils/formatText.ts
+++ b/src/utils/formatText.ts
@@ -1,4 +1,5 @@
 import marked from 'marked';
+import { stripHTMLTags } from '~/utils/stripHTMLTags';
 
 /**
  * Cleans youtube urls
@@ -12,8 +13,7 @@ export const formatTextSanitizeYoutube = (text: string): string =>
 /**
  * Removes HTML tags
  */
-export const formatTextSanitizeTags = (text: string): string =>
-  text.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+export const formatTextSanitizeTags = (text: string): string => stripHTMLTags(text);
 
 /**
  * Returns clickable usernames
diff --git a/src/utils/stripHTMLTags.ts b/src/utils/stripHTMLTags.ts
new file mode 100644
index 00000000..bc0ff92a
--- /dev/null
+++ b/src/utils/stripHTMLTags.ts
@@ -0,0 +1,60 @@
+import insane from 'insane';
+
+const INSANE_OPTIONS = {
+  allowedAttributes: {
+    a: ['href', 'name', 'target'],
+    img: ['src'],
+  },
+  allowedClasses: {
+    span: ['grey'],
+  },
+  allowedSchemes: ['http', 'https', 'mailto', 'ssh', 'ftp', 'tg'],
+  allowedTags: [
+    'a',
+    'article',
+    'b',
+    'blockquote',
+    'br',
+    'caption',
+    'code',
+    'del',
+    'details',
+    'div',
+    'em',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'hr',
+    'i',
+    'img',
+    'ins',
+    'kbd',
+    'li',
+    'main',
+    'ol',
+    'p',
+    'pre',
+    'section',
+    'span',
+    'strike',
+    'strong',
+    'sub',
+    'summary',
+    'sup',
+    'table',
+    'tbody',
+    'td',
+    'th',
+    'thead',
+    'tr',
+    'u',
+    'ul',
+  ],
+  filter: null,
+  transformText: null,
+};
+
+export const stripHTMLTags = (text: string) => insane(text, INSANE_OPTIONS);
diff --git a/yarn.lock b/yarn.lock
index 81b3d1ca..35533ee3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2309,6 +2309,11 @@ assign-symbols@^1.0.0:
   resolved "https://registry.yarnpkg.com/assign-symbols/-/assign-symbols-1.0.0.tgz#59667f41fadd4f20ccbc2bb96b8d4f7f78ec0367"
   integrity sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=
 
+assignment@2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/assignment/-/assignment-2.0.0.tgz#ffd17b21bf5d6b22e777b989681a815456a3dd3e"
+  integrity sha1-/9F7Ib9dayLnd7mJaBqBVFaj3T4=
+
 ast-types-flow@0.0.7, ast-types-flow@^0.0.7:
   version "0.0.7"
   resolved "https://registry.yarnpkg.com/ast-types-flow/-/ast-types-flow-0.0.7.tgz#f70b735c6bca1a5c9c22d982c3e39e7feba3bdad"
@@ -5405,6 +5410,11 @@ hash.js@^1.0.0, hash.js@^1.0.3:
     inherits "^2.0.3"
     minimalistic-assert "^1.0.1"
 
+he@0.5.0:
+  version "0.5.0"
+  resolved "https://registry.yarnpkg.com/he/-/he-0.5.0.tgz#2c05ffaef90b68e860f3fd2b54ef580989277ee2"
+  integrity sha1-LAX/rvkLaOhg8/0rVO9YCYknfuI=
+
 he@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
@@ -5784,6 +5794,14 @@ inquirer@^7.0.0:
     strip-ansi "^6.0.0"
     through "^2.3.6"
 
+insane@^2.6.2:
+  version "2.6.2"
+  resolved "https://registry.yarnpkg.com/insane/-/insane-2.6.2.tgz#c2ab68bb3e006ab451560d1b446917329c0a8120"
+  integrity sha1-wqtouz4AarRRVg0bRGkXMpwKgSA=
+  dependencies:
+    assignment "2.0.0"
+    he "0.5.0"
+
 internal-ip@^4.3.0:
   version "4.3.0"
   resolved "https://registry.yarnpkg.com/internal-ip/-/internal-ip-4.3.0.tgz#845452baad9d2ca3b69c635a137acb9a0dad0907"