read allowedTags from options, fall back to static

2025-11-11 07:45:51 +01:00 · 2024-11-17 16:08:44 -07:00
parent 9ef899eec5
commit d08f09ae3b
2 changed files with 29 additions and 5 deletions
--- a/src/services/html_sanitizer.ts
+++ b/src/services/html_sanitizer.ts
@@ -1,5 +1,6 @@
 import sanitizeHtml from "sanitize-html";
 import sanitizeUrl from "@braintree/sanitize-url";
+import optionService from "./options.js";

 // intended mainly as protection against XSS via import
 // secondarily, it (partly) protects against "CSS takeover"
@@ -23,9 +24,13 @@ function sanitize(dirtyHtml: string) {
        }
    }

-    // to minimize document changes, compress H
-    return sanitizeHtml(dirtyHtml, {
-        allowedTags: [
+    // Get allowed tags from options, with fallback to default list if option not yet set
+    let allowedTags;
+    try {
+        allowedTags = JSON.parse(optionService.getOption('allowedHtmlTags'));
+    } catch (e) {
+        // Fallback to default list if option doesn't exist or is invalid
+        allowedTags = [
            'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
            'li', 'b', 'i', 'strong', 'em', 'strike', 's', 'del', 'abbr', 'code', 'hr', 'br', 'div',
            'table', 'thead', 'caption', 'tbody', 'tfoot', 'tr', 'th', 'td', 'pre', 'section', 'img',
@@ -37,7 +42,12 @@ function sanitize(dirtyHtml: string) {
            'acronym', 'article', 'big', 'button', 'cite', 'col', 'colgroup', 'data', 'dd',
            'fieldset', 'form', 'legend', 'meter', 'noscript', 'option', 'progress', 'rp',
            'samp', 'small', 'sub', 'sup', 'template', 'textarea', 'tt'
-        ],
+        ];
+    }
+
+    // to minimize document changes, compress H
+    return sanitizeHtml(dirtyHtml, {
+        allowedTags,
        allowedAttributes: {
            '*': [ 'class', 'style', 'title', 'src', 'href', 'hash', 'disabled', 'align', 'alt', 'center', 'data-*' ]
        },