Link hashtag bug (#121)

* link + hashtag bug * remove printlns * tidy up some duplicated code
2025-10-29 17:52:24 -05:00 · 2021-07-29 13:18:22 +02:00 · 2021-07-29 13:18:22 +02:00 · a940a520d3
commit a940a520d3
parent ea8ad8b346
15 changed files with 349 additions and 97 deletions
--- a/internal/text/sanitize.go
+++ b/internal/text/sanitize.go
@ -30,7 +30,13 @@ import (
 var regular *bluemonday.Policy = bluemonday.UGCPolicy().
 	RequireNoReferrerOnLinks(true).
 	RequireNoFollowOnLinks(true).
-	RequireCrossOriginAnonymous(true)
+	RequireCrossOriginAnonymous(true).
+	AddTargetBlankToFullyQualifiedLinks(true)
+
+// outgoing policy should be used on statuses we've already parsed and added our own elements etc to. It is less strict than regular.
+var outgoing *bluemonday.Policy = regular.
+	AllowAttrs("class", "href", "rel").OnElements("a").
+	AllowAttrs("class").OnElements("span")

 // '[C]an be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on its allowlist.
 // An example usage scenario would be blog post titles where HTML tags are not expected at all
@ -48,3 +54,9 @@ func SanitizeHTML(in string) string {
 func RemoveHTML(in string) string {
 	return strict.Sanitize(in)
 }
+
+// SanitizeOutgoing cleans up HTML in the given string, allowing through only safe elements and elements that were added during the parsing process.
+// This should be used on text that we've already converted into HTML, just to catch any weirdness.
+func SanitizeOutgoing(in string) string {
+	return outgoing.Sanitize(in)
+}