Extract HTML sanitizer to its own file

2020-01-08 14:25:46 +01:00 · 2020-01-08 14:25:46 +01:00 · 8d248bc32f
commit 8d248bc32f
parent d745f98bb7
2 changed files with 19 additions and 7 deletions
--- a/plugins/base/routes.go
+++ b/plugins/base/routes.go
@ -16,7 +16,6 @@ import (
 	"github.com/emersion/go-message"
 	"github.com/emersion/go-smtp"
 	"github.com/labstack/echo/v4"
-	"github.com/microcosm-cc/bluemonday"
 )

 func registerRoutes(p *koushin.GoPlugin) {
@ -246,12 +245,7 @@ func handleGetPart(ctx *koushin.Context, raw bool) error {

 	isHTML := false
 	if strings.EqualFold(mimeType, "text/html") {
-		p := bluemonday.UGCPolicy()
-		// TODO: be more strict
-		p.AllowElements("style")
-		p.AllowAttrs("style")
-		p.AddTargetBlankToFullyQualifiedLinks(true)
-		body = p.Sanitize(body)
+		body = sanitizeHTML(body)
 		isHTML = true
 	}

--- a/plugins/base/sanitize_html.go
+++ b/plugins/base/sanitize_html.go
@ -0,0 +1,18 @@
+package koushinbase
+
+import (
+	"github.com/microcosm-cc/bluemonday"
+)
+
+func sanitizeHTML(b string) string {
+	p := bluemonday.UGCPolicy()
+
+	// TODO: be more strict
+	p.AllowElements("style")
+	p.AllowAttrs("style")
+
+	p.AddTargetBlankToFullyQualifiedLinks(true)
+	p.RequireNoFollowOnLinks(true)
+
+	return p.Sanitize(b)
+}