From bafdfb47f98a5397f1bf93a1e0ab8fc4d41ab1b1 Mon Sep 17 00:00:00 2001
From: creations <creations@creations.works>
Date: Sat, 26 Apr 2025 11:48:54 -0400
Subject: [PATCH] Add more to buns purify

---
 src/routes/api/readme.ts | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/routes/api/readme.ts b/src/routes/api/readme.ts
index 012b6b4..ca94922 100644
--- a/src/routes/api/readme.ts
+++ b/src/routes/api/readme.ts
@@ -1,6 +1,5 @@
 import { redisTtl } from "@config/environment";
-import { fetch } from "bun";
-import { redis } from "bun";
+import { fetch, redis } from "bun";
 import { marked } from "marked";
 
 const routeDef: RouteDef = {
@@ -22,9 +21,34 @@ async function addLazyLoading(html: string): Promise<string> {
 
 async function sanitizeHtml(html: string): Promise<string> {
 	return new HTMLRewriter()
-		.on("script, iframe, object, embed, link[rel=import]", {
+		.on(
+			"script, iframe, object, embed, link[rel=import], svg, math, base, meta[http-equiv='refresh']",
+			{
+				element(el) {
+					el.remove();
+				},
+			},
+		)
+		.on("*", {
 			element(el) {
-				el.remove();
+				for (const [name, value] of el.attributes) {
+					const lowerName = name.toLowerCase();
+					const lowerValue = value.toLowerCase();
+
+					if (lowerName.startsWith("on")) {
+						el.removeAttribute(name);
+					}
+
+					if (
+						(lowerName === "href" ||
+							lowerName === "src" ||
+							lowerName === "action") &&
+						(lowerValue.startsWith("javascript:") ||
+							lowerValue.startsWith("data:"))
+					) {
+						el.removeAttribute(name);
+					}
+				}
 			},
 		})
 		.on("img", {