fix: sanitize HTML from Mastodon servers (#788)

2023-01-05 09:21:09 +02:00 · 2023-01-05 09:21:09 +02:00 · 5c0e1790fa
commit 5c0e1790fa
parent 777066508e
3 changed files with 260 additions and 50 deletions
--- a/tests/snapshots/content-rich.test.ts.snap
+++ b/tests/snapshots/content-rich.test.ts.snap
@ -1,5 +1,12 @@
 // Vitest Snapshot v1

+exports[`content-rich > JavaScript hrefs get removed 1`] = `
+"<p>
+  <a href=\\"#\\" rel=\\"nofollow noopener noreferrer\\" target=\\"_blank\\">click me</a>
+</p>
+"
+`;
+
 exports[`content-rich > code frame 1`] = `
 "<p>Testing code block</p><p><pre lang=\\"ts\\">import { useMouse, usePreferredDark } from &#39;@vueuse/core&#39;
 // tracks mouse position
@ -10,7 +17,13 @@ const isDark = usePreferredDark()</pre></p>"

 exports[`content-rich > code frame 2 1`] = `
 "<p>
-  <span class=\\"h-card\\"><a class=\\"u-url mention\\" to=\\"/mas.to/@antfu\\"></a></span>
+  <span class=\\"h-card\\"
+    ><a
+      class=\\"u-url mention\\"
+      rel=\\"nofollow noopener noreferrer\\"
+      to=\\"/mas.to/@antfu\\"
+    ></a
+  ></span>
  Testing<br />
  <pre lang=\\"ts\\">const a = hello</pre>
 </p>
@ -62,3 +75,8 @@ exports[`content-rich > link + mention 1`] = `
 </p>
 "
 `;
+
+exports[`content-rich > script tags get removed 1`] = `
+"<p></p>
+"
+`;
--- a/tests/snapshots/html-parse.test.ts.snap
+++ b/tests/snapshots/html-parse.test.ts.snap
@ -23,7 +23,11 @@ const isDark = usePreferredDark()
 exports[`html-parse > code frame 2 > html 1`] = `
 "<p>
  <span class=\\"h-card\\"
-    ><a href=\\"https://mas.to/@antfu\\" class=\\"u-url mention\\"
+    ><a
+      href=\\"https://mas.to/@antfu\\"
+      class=\\"u-url mention\\"
+      rel=\\"nofollow noopener noreferrer\\"
+      target=\\"_blank\\"
      >@<span>antfu</span></a
    ></span
  >