merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454

Closes #447

Approved-by: Ember <acomputerdog@gmail.com>
Approved-by: Marie <marie@kaifa.ch>

1 files changed, 18 insertions, 0 deletions

diff --git a/packages/frontend/src/scripts/sanitize-html.ts b/packages/frontend/src/scripts/sanitize-html.ts
new file mode 100644
index 0000000000..6e1a46c746
--- /dev/null
+++ b/packages/frontend/src/scripts/sanitize-html.ts
@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+import original from 'sanitize-html';
+
+export default function sanitizeHtml(str: string | null): string | null {
+	if (str == null) return str;
+	return original(str, {
+		allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center', 'details', 'summary']),
+		allowedAttributes: {
+			...original.defaults.allowedAttributes,
+			a: original.defaults.allowedAttributes.a.concat(['style']),
+			img: original.defaults.allowedAttributes.img.concat(['style']),
+		},
+	});
+}