move sanitization code out of api package

2026-01-29 10:01:14 +00:00 · 2026-01-25 06:25:21 +01:00
parent 02be603dcc
commit e241d35efe
7 changed files with 63 additions and 56 deletions
--- a/render/helpers.go
+++ b/render/helpers.go
@@ -10,10 +10,12 @@ import (

 func (r *renderer) registerHelpers() {
 	funcmap := map[string]any{
-		"noteq":         noteq,
-		"ifNonZeroTime": ifNonZeroTime,
-		"relTime":       relTime,
-		"rewriteUrl":    rewriteUrl,
+		"noteq":               noteq,
+		"ifNonZeroTime":       ifNonZeroTime,
+		"relTime":             relTime,
+		"rewriteUrl":          rewriteUrl,
+		"sanitizeDescription": sanitizeDescription,
+		"sanitizeComment":     sanitizeComment,
 	}
 	raymond.RegisterHelpers(funcmap)
 }
--- a/render/sanitize.go
+++ b/render/sanitize.go
@@ -0,0 +1,53 @@
+package render
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/microcosm-cc/bluemonday"
+	"gitlab.com/golang-commonmark/linkify"
+)
+
+var imgurRe = regexp.MustCompile(`https?://imgur\.com/(gallery|a)?/(.*)`)
+var imgurRe2 = regexp.MustCompile(`https?://imgur\.com/(.*)`)
+var imgRe = regexp.MustCompile(`https?://i\.imgur\.com/(.*)\.(png|gif|jpe?g|webp)`)
+var vidRe = regexp.MustCompile(`https?://i\.imgur\.com/(.*)\.(mp4|webm)`)
+var vidFormatRe = regexp.MustCompile(`\.(mp4|webm)`)
+var iImgurRe = regexp.MustCompile(`https?://i\.imgur\.com`)
+
+func sanitizeDescription(src string) string {
+	src = strings.ReplaceAll(src, "\n", "<br>")
+	return bluemonday.UGCPolicy().Sanitize(src)
+}
+func sanitizeComment(src string) string {
+	src = strings.ReplaceAll(src, "\n", "<br>")
+
+	for _, match := range imgRe.FindAllString(src, -1) {
+		img := iImgurRe.ReplaceAllString(match, "")
+		img = `<img src="` + img + `" class="comment__media" loading="lazy"/>`
+		src = strings.Replace(src, match, img, 1)
+	}
+	for _, match := range vidRe.FindAllString(src, -1) {
+		vid := iImgurRe.ReplaceAllString(match, "")
+		vid = `<video class="comment__media" controls loop preload="none" poster="` + vidFormatRe.ReplaceAllString(vid, ".webp") + `"><source type="` + strings.Split(vid, ".")[1] + `" src="` + vid + `" /></video>`
+		src = strings.Replace(src, match, vid, 1)
+	}
+	for _, l := range linkify.Links(src) {
+		origLink := (src)[l.Start:l.End]
+		link := `<a href="` + origLink + `">` + origLink + `</a>`
+		src = strings.Replace(src, origLink, link, 1)
+	}
+	src = imgurRe.ReplaceAllString(src, "/$1/$2")
+	src = imgurRe2.ReplaceAllString(src, "/$1")
+
+	p := bluemonday.UGCPolicy()
+	p.AllowImages()
+	p.AllowElements("video", "source")
+	p.AllowAttrs("src", "tvpe").OnElements("source")
+	p.AllowAttrs("controls", "loop", "preload", "poster").OnElements("video")
+	p.AllowAttrs("class", "loading").OnElements("img", "video")
+	p.RequireNoReferrerOnLinks(true)
+	p.RequireNoFollowOnLinks(true)
+	p.RequireCrossOriginAnonymous(true)
+	return p.Sanitize(src)
+}