Deuxfleurs/alps
23
1
Fork 0
Code Issues Pull requests 1 Projects Releases Wiki Activity

Extract HTML sanitizer to its own file

Browse source
This commit is contained in:
Simon Ser 2020-01-08 14:25:46 +01:00
parent d745f98bb7
commit 8d248bc32f
No known key found for this signature in database
GPG key ID: 0FDE7BE0E88F5E48
2 changed files with 19 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
plugins/base/routes.go
View file

@ -16,7 +16,6 @@ import (
"github.com/emersion/go-message" "github.com/emersion/go-message"
"github.com/emersion/go-smtp" "github.com/emersion/go-smtp"
"github.com/labstack/echo/v4" "github.com/labstack/echo/v4"
"github.com/microcosm-cc/bluemonday"
) )
func registerRoutes(p *koushin.GoPlugin) { func registerRoutes(p *koushin.GoPlugin) {
@ -246,12 +245,7 @@ func handleGetPart(ctx *koushin.Context, raw bool) error {
isHTML := false isHTML := false
if strings.EqualFold(mimeType, "text/html") { if strings.EqualFold(mimeType, "text/html") {
p := bluemonday.UGCPolicy() body = sanitizeHTML(body)
// TODO: be more strict
p.AllowElements("style")
p.AllowAttrs("style")
p.AddTargetBlankToFullyQualifiedLinks(true)
body = p.Sanitize(body)
isHTML = true isHTML = true
} }

18
plugins/base/sanitize_html.go Normal file
View file

@ -0,0 +1,18 @@
package koushinbase
import (
"github.com/microcosm-cc/bluemonday"
)
func sanitizeHTML(b string) string {
p := bluemonday.UGCPolicy()
// TODO: be more strict
p.AllowElements("style")
p.AllowAttrs("style")
p.AddTargetBlankToFullyQualifiedLinks(true)
p.RequireNoFollowOnLinks(true)
return p.Sanitize(b)
}