Add more to buns purify

bafdfb47 · creations · c867c57a · bafdfb47
Verified Commit bafdfb47 authored 2 months ago by creations
--- a/src/routes/api/readme.ts
+++ b/src/routes/api/readme.ts
 import { redisTtl } from "@config/environment";
-import { fetch } from "bun";
-import { redis } from "bun";
+import { fetch, redis } from "bun";
 import { marked } from "marked";

 const routeDef: RouteDef = {
@@ -22,10 +21,35 @@ async function addLazyLoading(html: string): Promise<string> {

 async function sanitizeHtml(html: string): Promise<string> {
 	return new HTMLRewriter()
-		.on("script, iframe, object, embed, link[rel=import]", {
+		.on(
+			"script, iframe, object, embed, link[rel=import], svg, math, base, meta[http-equiv='refresh']",
+			{
 				element(el) {
 					el.remove();
 				},
+			},
+		)
+		.on("*", {
+			element(el) {
+				for (const [name, value] of el.attributes) {
+					const lowerName = name.toLowerCase();
+					const lowerValue = value.toLowerCase();
+
+					if (lowerName.startsWith("on")) {
+						el.removeAttribute(name);
+					}
+
+					if (
+						(lowerName === "href" ||
+							lowerName === "src" ||
+							lowerName === "action") &&
+						(lowerValue.startsWith("javascript:") ||
+							lowerValue.startsWith("data:"))
+					) {
+						el.removeAttribute(name);
+					}
+				}
+			},
 		})
 		.on("img", {
 			element(el) {