18 lines
553 B
TypeScript
18 lines
553 B
TypeScript
import DOMPurify from 'isomorphic-dompurify';
|
|
|
|
const ALLOWED_TAGS = ['p', 'br', 'strong', 'em', 'h2', 'h3', 'ul', 'ol', 'li'];
|
|
|
|
/**
|
|
* Render-side sanitiser for Geschichte body HTML. The backend already
|
|
* sanitises with the OWASP allow-list on save, but we re-run on render
|
|
* because the API can be called directly and stored content can pre-date
|
|
* a tightening of the allow-list.
|
|
*/
|
|
export function safeHtml(raw: string | null | undefined): string {
|
|
if (!raw) return '';
|
|
return DOMPurify.sanitize(raw, {
|
|
ALLOWED_TAGS,
|
|
ALLOWED_ATTR: []
|
|
});
|
|
}
|