{"version":3,"file":"sanitizer.mjs","sources":["../../../../../../../../admin/src/pages/EditView/components/FormInputs/Wysiwyg/utils/sanitizer.ts"],"sourcesContent":["import createDOMPurify from 'dompurify';\n\n// Own instance, so the data: hook below stays scoped to this module instead of\n// mutating the library-wide singleton shared with any other DOMPurify consumer.\nconst DOMPurify = createDOMPurify(window);\n\n/**\n * Attribute allowlist. Starts from the prior sanitize-html configuration:\n * '*': href, align, alt, center, width, height, type, controls, target\n * img: src, alt\n * source: src, type\n *\n * DOMPurify's ALLOWED_ATTR is a flat list (no per-tag scoping), so the union\n * of the original allowlist is used. Tags that the prior config never reached\n * (script, iframe, etc.) are stripped wholesale by DOMPurify's default tag\n * allowlist, so per-tag attribute scoping is not security-relevant here.\n *\n * `class` and `title` are additions over the old config (which stripped both):\n * - class: mdRenderer.ts emits `hljs`/`language-*` on code blocks (so the\n * highlight.js solarized-dark stylesheet applies) and `footnote-ref`/\n * `footnote-backref` on footnotes. Stripping it left those styles dead.\n * - title: link/image tooltips and the markdown-it abbr plugin (``).\n * Both are inert in admin-authored content behind the tag allowlist; neither\n * can escalate.\n */\nconst ALLOWED_ATTR = [\n 'href',\n 'src',\n 'alt',\n 'align',\n 'center',\n 'width',\n 'height',\n 'type',\n 'controls',\n 'target',\n 'class',\n 'title',\n];\n\n/**\n * URL scheme allowlist: http(s), ftp, mailto, tel, plus protocol-relative,\n * fragment, and relative URLs. Mirrors sanitize-html's prior allowedSchemes.\n */\nconst ALLOWED_URI_REGEXP = /^(?:(?:https?|ftp|mailto|tel):|[^a-z]|[a-z+.\\-]+(?:[^a-z+.\\-:]|$))/i;\n\n/**\n * DOMPurify permits `data:` URIs on media tags (img/source/video/audio)\n * through its internal DATA_URI_TAGS allowlist, *bypassing* ALLOWED_URI_REGEXP.\n * The prior sanitize-html config stripped every `data:` URI, so strip them here\n * too for parity.\n */\nconst URL_ATTRIBUTES = ['src', 'href', 'xlink:href'];\nDOMPurify.addHook('afterSanitizeAttributes', (node) => {\n if (typeof node.getAttribute !== 'function') {\n return;\n }\n for (const attr of URL_ATTRIBUTES) {\n const value = node.getAttribute(attr);\n if (value && /^\\s*data:/i.test(value)) {\n node.removeAttribute(attr);\n }\n }\n});\n\nconst sanitize = (html: string): string =>\n DOMPurify.sanitize(html, {\n ALLOWED_ATTR,\n ALLOWED_URI_REGEXP,\n ALLOW_DATA_ATTR: false,\n });\n\nexport { sanitize };\n"],"names":["DOMPurify","createDOMPurify","window","ALLOWED_ATTR","ALLOWED_URI_REGEXP","URL_ATTRIBUTES","addHook","node","getAttribute","attr","value","test","removeAttribute","sanitize","html","ALLOW_DATA_ATTR"],"mappings":";;AAEA;AACA;AACA,MAAMA,YAAYC,eAAAA,CAAgBC,MAAAA,CAAAA;AAElC;;;;;;;;;;;;;;;;;;AAkBC,IACD,MAAMC,YAAAA,GAAe;AACnB,IAAA,MAAA;AACA,IAAA,KAAA;AACA,IAAA,KAAA;AACA,IAAA,OAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA,QAAA;AACA,IAAA,MAAA;AACA,IAAA,UAAA;AACA,IAAA,QAAA;AACA,IAAA,OAAA;AACA,IAAA;AACD,CAAA;AAED;;;AAGC,IACD,MAAMC,kBAAAA,GAAqB,qEAAA;AAE3B;;;;;AAKC,IACD,MAAMC,cAAAA,GAAiB;AAAC,IAAA,KAAA;AAAO,IAAA,MAAA;AAAQ,IAAA;AAAa,CAAA;AACpDL,SAAAA,CAAUM,OAAO,CAAC,yBAAA,EAA2B,CAACC,IAAAA,GAAAA;AAC5C,IAAA,IAAI,OAAOA,IAAAA,CAAKC,YAAY,KAAK,UAAA,EAAY;AAC3C,QAAA;AACF,IAAA;IACA,KAAK,MAAMC,QAAQJ,cAAAA,CAAgB;QACjC,MAAMK,KAAAA,GAAQH,IAAAA,CAAKC,YAAY,CAACC,IAAAA,CAAAA;AAChC,QAAA,IAAIC,KAAAA,IAAS,YAAA,CAAaC,IAAI,CAACD,KAAAA,CAAAA,EAAQ;AACrCH,YAAAA,IAAAA,CAAKK,eAAe,CAACH,IAAAA,CAAAA;AACvB,QAAA;AACF,IAAA;AACF,CAAA,CAAA;AAEA,MAAMI,WAAW,CAACC,IAAAA,GAChBd,SAAAA,CAAUa,QAAQ,CAACC,IAAAA,EAAM;AACvBX,QAAAA,YAAAA;AACAC,QAAAA,kBAAAA;QACAW,eAAAA,EAAiB;AACnB,KAAA;;;;"}