Link hashtag bug (#121)

* link + hashtag bug

* remove printlns

* tidy up some duplicated code

1 files changed, 13 insertions, 1 deletions

diff --git a/internal/text/sanitize.go b/internal/text/sanitize.go
index aac9d8aab..365875d46 100644
--- a/internal/text/sanitize.go
+++ b/internal/text/sanitize.go
@@ -30,7 +30,13 @@ import (
 var regular *bluemonday.Policy = bluemonday.UGCPolicy().
 	RequireNoReferrerOnLinks(true).
 	RequireNoFollowOnLinks(true).
-	RequireCrossOriginAnonymous(true)
+	RequireCrossOriginAnonymous(true).
+	AddTargetBlankToFullyQualifiedLinks(true)
+
+// outgoing policy should be used on statuses we've already parsed and added our own elements etc to. It is less strict than regular.
+var outgoing *bluemonday.Policy = regular.
+	AllowAttrs("class", "href", "rel").OnElements("a").
+	AllowAttrs("class").OnElements("span")
 
 // '[C]an be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on its allowlist.
 // An example usage scenario would be blog post titles where HTML tags are not expected at all
@@ -48,3 +54,9 @@ func SanitizeHTML(in string) string {
 func RemoveHTML(in string) string {
 	return strict.Sanitize(in)
 }
+
+// SanitizeOutgoing cleans up HTML in the given string, allowing through only safe elements and elements that were added during the parsing process.
+// This should be used on text that we've already converted into HTML, just to catch any weirdness.
+func SanitizeOutgoing(in string) string {
+	return outgoing.Sanitize(in)
+}