From db30834ebc0c643515e9f8615acb506ee9a94cf9 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Thu, 23 May 2024 15:04:36 -0400 Subject: [PATCH] fix: sanitize-html configuration passed in src/posts/parse.js Cursory review of sanitize-html documentation suggests that the currently-used `globalAttributes` property no longer exists, but was replaced with `nonBooleanAttributes`, likely because the attribute allow-list explicitly applies only to "non-boolean" attributes (e.g. not `checked` or `selected`). Either way it does not likely affect us but is mainly here for future-proofing purposes. --- src/posts/parse.js | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/posts/parse.js b/src/posts/parse.js index f36013dd77..a29668edb5 100644 --- a/src/posts/parse.js +++ b/src/posts/parse.js @@ -27,13 +27,10 @@ let sanitizeConfig = { source: ['type', 'src', 'srcset', 'sizes', 'media', 'height', 'width'], embed: ['height', 'src', 'type', 'width'], }, - globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir', + nonBooleanAttributes: ['accesskey', 'class', 'contenteditable', 'dir', 'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style', - 'tabindex', 'title', 'translate', 'aria-expanded', 'data-*', + 'tabindex', 'title', 'translate', 'aria-*', 'data-*', ], - allowedClasses: { - ...sanitize.defaults.allowedClasses, - }, }; module.exports = function (Posts) { @@ -121,7 +118,7 @@ module.exports = function (Posts) { sanitizeConfig.allowedTags.forEach((tag) => { sanitizeConfig.allowedAttributes[tag] = _.union( sanitizeConfig.allowedAttributes[tag], - sanitizeConfig.globalAttributes + sanitizeConfig.nonBooleanAttributes ); });