v6/src/activitypub/util/sanitize.rs

use ammonia::Builder;
use once_cell::sync::Lazy;

static BUILDER: Lazy<Builder> = Lazy::new(|| {
    let mut builder = Builder::empty();
    builder.tags(
        [
            "a",
            "span",
            "p",
            "br",
            "b",
            "strong",
            "i",
            "em",
            "s",
            "del",
            "u",
            "code",
            "pre",
            "ul",
            "ol",
            "li",
            "blockquote",
            "img",
        ]
        .into_iter()
        .collect(),
    );
    builder.tag_attributes(
        [
            ("a", ["href", "data-user"].into_iter().collect()),
            ("img", ["src"].into_iter().collect()),
        ]
        .into_iter()
        .collect(),
    );
    builder.set_tag_attribute_values(
        // note: rel="noopener noreferrer" is added automatically
        [("a", [("target", "_blank")].into_iter().collect())]
            .into_iter()
            .collect(),
    );
    builder
});

pub fn sanitize_html(html: &str) -> String {
    BUILDER.clean(html).to_string()
}

#[cfg(test)]
mod tests {
    use super::sanitize_html;

    #[test]
    fn test_a_attrs() {
        let source = r#"<p>hello <a href="https://example.com">world</a></p>"#;
        let output = sanitize_html(source);
        assert_eq!(
            output,
            r#"<p>hello <a href="https://example.com" target="_blank" rel="noopener noreferrer">world</a></p>"#
        );
    }
}