Restrict DOM sanitization to limited whitelist

radicle-dev · Dec 18, 2024 · 6aef218 · 6aef218
1 parent bec0404
commit 6aef218
Showing 1 changed file with 46 additions and 4 deletions.
diff --git a/src/lib/markdown.ts b/src/lib/markdown.ts
@@ -10,10 +10,52 @@ import { markedEmoji } from "marked-emoji";
 import emojis from "@app/lib/emojis";
 
 dompurify.setConfig({
-  // eslint-disable-next-line @typescript-eslint/naming-convention
-  SANITIZE_DOM: false,
-  // eslint-disable-next-line @typescript-eslint/naming-convention
-  FORBID_TAGS: ["textarea", "style"],
+  /* eslint-disable @typescript-eslint/naming-convention */
+  ALLOWED_ATTR: [
+    "align",
+    "checked",
+    "class",
+    "href",
+    "id",
+    "name",
+    "target",
+    "text",
+    "title",
+    "src",
+    "type",
+  ],
+  ALLOWED_TAGS: [
+    "a",
+    "blockquote",
+    "br",
+    "code",
+    "dd",
+    "div",
+    "dl",
+    "dt",
+    "em",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "hr",
+    "img",
+    "input",
+    "li",
+    "ol",
+    "p",
+    "pre",
+    "table",
+    "tbody",
+    "td",
+    "th",
+    "thead",
+    "tr",
+    "ul",
+  ],
+  /* eslint-enable @typescript-eslint/naming-convention */
 });
 
 // Converts self closing anchor tags into empty anchor tags, to avoid erratic wrapping behaviour