Sanitize rather than strip html

2024-06-11 12:41:56 -07:00
parent 289d2fb8f9
commit 9c9e483f01
6 changed files with 35 additions and 39 deletions
@@ -1,3 +1,11 @@
 # @welshman/content [![version](https://badgen.net/npm/v/@welshman/content)](https://npmjs.com/package/@welshman/content)

 Utilities for parsing note content.
+
+```typescript
+import {truncate, parse, render} from '@welshman/content'
+
+const content = "Hello<br>from https://coracle.tools! <script>alert('evil')</script>"
+const html = truncate(parse({content})).map(render).join("")
+// =>
+```
@@ -1,5 +1,5 @@
 import {nip19} from "nostr-tools"
-import insane from 'insane'
+import {sanitizeUrl} from '@braintree/sanitize-url'

 const last = <T>(xs: T[], ...args: unknown[]) => xs[xs.length - 1]

@@ -431,12 +431,25 @@ export class HTML {

  toString = () => this.value

-  static useSafely = (value: string) => new HTML(insane(value))
-
  static useDangerously = (value: string) => new HTML(value)

-  static buildLink = (href: string, display: string) =>
-    HTML.useSafely(`<a href=${href} target="_blank">${display}</a>`)
+  static useSafely = (value: string) => {
+    const element = document.createElement('div')
+
+    element.innerText = value
+
+    return new HTML(element.innerHTML)
+  }
+
+  static buildLink = (href: string, display: string) => {
+    const element = document.createElement('a')
+
+    element.href = sanitizeUrl(href)
+    element.target = "_blank"
+    element.innerText = display
+
+    return HTML.useDangerously(element.outerHTML)
+  }

  static buildEntityLink = (entity: string, options: RenderOptions) =>
    HTML.buildLink(options.entityBaseUrl + entity, entity.slice(0, 16) + '…')
@@ -26,13 +26,12 @@
    "fix": "gts fix"
  },
  "devDependencies": {
-    "@types/insane": "^1.0.0",
    "gts": "^5.0.1",
    "tsc-multi": "^1.1.0",
    "typescript": "~5.1.6"
  },
  "dependencies": {
-    "insane": "^2.6.2",
+    "@braintree/sanitize-url": "^7.0.2",
    "nostr-tools": "^2.7.0"
  }
 }