import DOMPurify from 'isomorphic-dompurify';

const ALLOWED_TAGS = ['p', 'br', 'strong', 'em', 'h2', 'h3', 'ul', 'ol', 'li'];

/**
 * Render-side sanitiser for Geschichte body HTML. The backend already
 * sanitises with the OWASP allow-list on save, but we re-run on render
 * because the API can be called directly and stored content can pre-date
 * a tightening of the allow-list.
 */
export function safeHtml(raw: string | null | undefined): string {
	if (!raw) return '';
	return DOMPurify.sanitize(raw, {
		ALLOWED_TAGS,
		ALLOWED_ATTR: []
	});
}