added insane to sanitize html

2025-04-24 20:36:40 +07:00 · 2021-02-24 17:55:23 +07:00 · 2021-02-24 17:55:23 +07:00 · b58ddba328
commit b58ddba328
parent 165039c177
6 changed files with 93 additions and 14 deletions
--- a/package.json
+++ b/package.json
@ -14,6 +14,7 @@
    "connected-react-router": "^6.5.2",
    "date-fns": "^2.4.1",
    "flexbin": "^0.2.0",
+    "insane": "^2.6.2",
    "marked": "^2.0.0",
    "node-sass": "4.14.1",
    "photoswipe": "^4.1.3",
--- a/src/components/comment/CommentTextBlock/styles.module.scss
+++ b/src/components/comment/CommentTextBlock/styles.module.scss
@ -29,14 +29,14 @@
    color: $wisegreen;
  }

-  &:last-child {
-    p {
-      &::after {
-        content: '';
-        display: inline-flex;
-        height: 1em;
-        width: 150px;
-      }
-    }
-  }
+  //&:last-child {
+  //  p {
+  //    &::after {
+  //      content: '';
+  //      display: inline-flex;
+  //      height: 1em;
+  //      width: 150px;
+  //    }
+  //  }
+  //}
 }
--- a/src/utils/dom.ts
+++ b/src/utils/dom.ts
@ -95,14 +95,14 @@ export const getURL = (file: Partial<IFile>, size?: typeof PRESETS[keyof typeof
 };

 export const formatText = pipe(
-  formatTextSanitizeTags,
  formatTextSanitizeYoutube,
  formatTextComments,
  formatTextTodos,
  formatExclamations,
  formatTextDash,
  formatTextMarkdown,
-  formatTextClickableUsernames
+  formatTextClickableUsernames,
+  formatTextSanitizeTags
 );

 export const formatTextParagraphs = (text: string): string => (text && formatText(text)) || null;
--- a/src/utils/formatText.ts
+++ b/src/utils/formatText.ts
@ -1,4 +1,5 @@
 import marked from 'marked';
+import { stripHTMLTags } from '~/utils/stripHTMLTags';

 /**
 * Cleans youtube urls
@ -12,8 +13,7 @@ export const formatTextSanitizeYoutube = (text: string): string =>
 /**
 * Removes HTML tags
 */
-export const formatTextSanitizeTags = (text: string): string =>
-  text.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+export const formatTextSanitizeTags = (text: string): string => stripHTMLTags(text);

 /**
 * Returns clickable usernames
--- a/src/utils/stripHTMLTags.ts
+++ b/src/utils/stripHTMLTags.ts
@ -0,0 +1,60 @@
+import insane from 'insane';
+
+const INSANE_OPTIONS = {
+  allowedAttributes: {
+    a: ['href', 'name', 'target'],
+    img: ['src'],
+  },
+  allowedClasses: {
+    span: ['grey'],
+  },
+  allowedSchemes: ['http', 'https', 'mailto', 'ssh', 'ftp', 'tg'],
+  allowedTags: [
+    'a',
+    'article',
+    'b',
+    'blockquote',
+    'br',
+    'caption',
+    'code',
+    'del',
+    'details',
+    'div',
+    'em',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'hr',
+    'i',
+    'img',
+    'ins',
+    'kbd',
+    'li',
+    'main',
+    'ol',
+    'p',
+    'pre',
+    'section',
+    'span',
+    'strike',
+    'strong',
+    'sub',
+    'summary',
+    'sup',
+    'table',
+    'tbody',
+    'td',
+    'th',
+    'thead',
+    'tr',
+    'u',
+    'ul',
+  ],
+  filter: null,
+  transformText: null,
+};
+
+export const stripHTMLTags = (text: string) => insane(text, INSANE_OPTIONS);
--- a/yarn.lock
+++ b/yarn.lock
@ -2309,6 +2309,11 @@ assign-symbols@^1.0.0:
  resolved "https://registry.yarnpkg.com/assign-symbols/-/assign-symbols-1.0.0.tgz#59667f41fadd4f20ccbc2bb96b8d4f7f78ec0367"
  integrity sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=

+assignment@2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/assignment/-/assignment-2.0.0.tgz#ffd17b21bf5d6b22e777b989681a815456a3dd3e"
+  integrity sha1-/9F7Ib9dayLnd7mJaBqBVFaj3T4=
+
 ast-types-flow@0.0.7, ast-types-flow@^0.0.7:
  version "0.0.7"
  resolved "https://registry.yarnpkg.com/ast-types-flow/-/ast-types-flow-0.0.7.tgz#f70b735c6bca1a5c9c22d982c3e39e7feba3bdad"
@ -5405,6 +5410,11 @@ hash.js@^1.0.0, hash.js@^1.0.3:
    inherits "^2.0.3"
    minimalistic-assert "^1.0.1"

+he@0.5.0:
+  version "0.5.0"
+  resolved "https://registry.yarnpkg.com/he/-/he-0.5.0.tgz#2c05ffaef90b68e860f3fd2b54ef580989277ee2"
+  integrity sha1-LAX/rvkLaOhg8/0rVO9YCYknfuI=
+
 he@^1.2.0:
  version "1.2.0"
  resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
@ -5784,6 +5794,14 @@ inquirer@^7.0.0:
    strip-ansi "^6.0.0"
    through "^2.3.6"

+insane@^2.6.2:
+  version "2.6.2"
+  resolved "https://registry.yarnpkg.com/insane/-/insane-2.6.2.tgz#c2ab68bb3e006ab451560d1b446917329c0a8120"
+  integrity sha1-wqtouz4AarRRVg0bRGkXMpwKgSA=
+  dependencies:
+    assignment "2.0.0"
+    he "0.5.0"
+
 internal-ip@^4.3.0:
  version "4.3.0"
  resolved "https://registry.yarnpkg.com/internal-ip/-/internal-ip-4.3.0.tgz#845452baad9d2ca3b69c635a137acb9a0dad0907"