In sanitize(), rebuild the accepted tags with only the accepted attributes.

2024-09-19 18:00:23 +03:00 · 2022-11-16 16:53:59 +01:00 · 2022-11-16 16:53:59 +01:00 · bdc689e594
commit bdc689e594
parent 236ca9af6b
1 changed files with 10 additions and 5 deletions
--- a/format.c
+++ b/format.c
@ -185,6 +185,7 @@ d_char *sanitize(const char *content)
            xs *s1  = xs_strip(xs_crop(xs_dup(v), v[1] == '/' ? 2 : 1, -1));
            xs *l1  = xs_split_n(s1, " ", 1);
            xs *tag = xs_tolower(xs_dup(xs_list_get(l1, 0)));
+            xs *s2  = NULL;
            int i;

            /* check if it's one of the valid tags */
@ -194,14 +195,18 @@ d_char *sanitize(const char *content)
            }

            if (valid_tags[i]) {
-                /* accepted tag */
-                s = xs_str_cat(s, v);
+                /* accepted tag: rebuild it with only the accepted elements */
+                xs *el = xs_regex_match(v, "(href|rel|class|target)=\"[^\"]*\"");
+                xs *s3 = xs_join(el, " ");
+
+                s2 = xs_fmt("<%s%s %s>", v[1] == '/' ? "/" : "", tag, s3);
            }
            else {
-                /* bad tag */
-                xs *s2 = xs_replace(v, "<", "&lt;");
-                s = xs_str_cat(s, s2);
+                /* bad tag: escape it */
+                s2 = xs_replace(v, "<", "&lt;");
            }
+
+            s = xs_str_cat(s, s2);
        }
        else {
            /* non-tag */