fix: sanitize-html configuration passed in src/posts/parse.js

Cursory review of sanitize-html documentation suggests that the currently-used `globalAttributes` property no longer exists, but was replaced with `nonBooleanAttributes`, likely because the attribute allow-list explicitly applies only to "non-boolean" attributes (e.g. not `checked` or `selected`). Either way it does not likely affect us but is mainly here for future-proofing purposes.
2025-10-26 16:46:12 +01:00 · 2024-05-23 15:04:36 -04:00
parent 598c10c6a9
commit db30834ebc
1 changed files with 3 additions and 6 deletions
--- a/src/posts/parse.js
+++ b/src/posts/parse.js
@@ -27,13 +27,10 @@ let sanitizeConfig = {
 		source: ['type', 'src', 'srcset', 'sizes', 'media', 'height', 'width'],
 		embed: ['height', 'src', 'type', 'width'],
 	},
-	globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
+	nonBooleanAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
 		'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',
-		'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',
+		'tabindex', 'title', 'translate', 'aria-*', 'data-*',
 	],
-	allowedClasses: {
-		...sanitize.defaults.allowedClasses,
-	},
 };

 module.exports = function (Posts) {
@@ -121,7 +118,7 @@ module.exports = function (Posts) {
 		sanitizeConfig.allowedTags.forEach((tag) => {
 			sanitizeConfig.allowedAttributes[tag] = _.union(
 				sanitizeConfig.allowedAttributes[tag],
-				sanitizeConfig.globalAttributes
+				sanitizeConfig.nonBooleanAttributes
 			);
 		});