Allow more text mutation for safe HTML

2024-12-17 15:57:59 +01:00 · 2024-12-17 15:57:59 +01:00 · 2a2a916ac1
commit 2a2a916ac1
parent 2256adae26
1 changed files with 23 additions and 5 deletions
--- a/lib/fic_tracker/converters/to_safe_html.rb
+++ b/lib/fic_tracker/converters/to_safe_html.rb
@ -14,13 +14,17 @@ module Kramdown::Converter
      @options[:template] = 'string://<%= Html.convert(@body).first %>'
    end

-    SUPERFLUOUS_TAGS = %w[align class justify]
-
+    ALLOWED_ATTRS = %w[alt dir hidden inert lang title translate]
    def convert(el)
      real_el, el = el, el.value if el.type == :footnote

-      # Strip out unnecessary HTML tags
-      SUPERFLUOUS_TAGS.each { |tag| el.attr.delete tag if el.attr.key? tag }
+      # Strip out superfluous and invalid HTML 5 tags
+      style = el.attr['style'] || ""
+      style += ";text-align:#{el.attr['align']}" if el.attr.key? 'align'
+      style = strip_style(style) if style.include? ':'
+
+      el.attr.delete_if { |key, _| !ALLOWED_ATTRS.include?(key) }
+      el.attr['style'] = style if style.include? ':'

      children = el.children.dup
      index = 0
@ -43,5 +47,19 @@ module Kramdown::Converter

      real_el || el
    end
+
+    private
+
+    ALLOWED_STYLE_ASSIGNMENTS = %w[font-size font-style font-weight text-align]
+    def strip_style(style)
+      parts = style.split(';').select { |p| p.include? ':' }.to_h do |assign|
+        parts = assign.split(':')
+        [parts.first.strip, parts.last.strip] 
+      end
+
+      parts.delete_if { |key, _| !ALLOWED_STYLE_ASSIGNMENTS.include?(key) }
+
+      parts.map { |key, val| "#{key}:#{val}" }.join(';')
+    end
  end
 end