From 6aef21825482ae689a2bce011b00c5dfaedabc47 Mon Sep 17 00:00:00 2001
From: Sebastian Martinez <me@sebastinez.dev>
Date: Wed, 18 Dec 2024 13:57:25 +0100
Subject: [PATCH] Restrict DOM sanitization to limited whitelist

---
 src/lib/markdown.ts | 50 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/src/lib/markdown.ts b/src/lib/markdown.ts
index bd9b039..2758302 100644
--- a/src/lib/markdown.ts
+++ b/src/lib/markdown.ts
@@ -10,10 +10,52 @@ import { markedEmoji } from "marked-emoji";
 import emojis from "@app/lib/emojis";
 
 dompurify.setConfig({
-  // eslint-disable-next-line @typescript-eslint/naming-convention
-  SANITIZE_DOM: false,
-  // eslint-disable-next-line @typescript-eslint/naming-convention
-  FORBID_TAGS: ["textarea", "style"],
+  /* eslint-disable @typescript-eslint/naming-convention */
+  ALLOWED_ATTR: [
+    "align",
+    "checked",
+    "class",
+    "href",
+    "id",
+    "name",
+    "target",
+    "text",
+    "title",
+    "src",
+    "type",
+  ],
+  ALLOWED_TAGS: [
+    "a",
+    "blockquote",
+    "br",
+    "code",
+    "dd",
+    "div",
+    "dl",
+    "dt",
+    "em",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "hr",
+    "img",
+    "input",
+    "li",
+    "ol",
+    "p",
+    "pre",
+    "table",
+    "tbody",
+    "td",
+    "th",
+    "thead",
+    "tr",
+    "ul",
+  ],
+  /* eslint-enable @typescript-eslint/naming-convention */
 });
 
 // Converts self closing anchor tags into empty anchor tags, to avoid erratic wrapping behaviour