diff options
Diffstat (limited to 'internal/text/sanitize.go')
| -rw-r--r-- | internal/text/sanitize.go | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/internal/text/sanitize.go b/internal/text/sanitize.go index aac9d8aab..365875d46 100644 --- a/internal/text/sanitize.go +++ b/internal/text/sanitize.go @@ -30,7 +30,13 @@ import ( var regular *bluemonday.Policy = bluemonday.UGCPolicy(). RequireNoReferrerOnLinks(true). RequireNoFollowOnLinks(true). - RequireCrossOriginAnonymous(true) + RequireCrossOriginAnonymous(true). + AddTargetBlankToFullyQualifiedLinks(true) + +// outgoing policy should be used on statuses we've already parsed and added our own elements etc to. It is less strict than regular. +var outgoing *bluemonday.Policy = regular. + AllowAttrs("class", "href", "rel").OnElements("a"). + AllowAttrs("class").OnElements("span") // '[C]an be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on its allowlist. // An example usage scenario would be blog post titles where HTML tags are not expected at all @@ -48,3 +54,9 @@ func SanitizeHTML(in string) string { func RemoveHTML(in string) string { return strict.Sanitize(in) } + +// SanitizeOutgoing cleans up HTML in the given string, allowing through only safe elements and elements that were added during the parsing process. +// This should be used on text that we've already converted into HTML, just to catch any weirdness. +func SanitizeOutgoing(in string) string { + return outgoing.Sanitize(in) +} |