fix: use sanitize-html (#14312)

* fix: use sanitize-html * test: add brief test
DIYgod · Jan 23, 2024 · d1b3e16 · d1b3e16
1 parent 839d36e
commit d1b3e16
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/lib/middleware/parameter.js b/lib/middleware/parameter.js
@@ -8,6 +8,7 @@ const md = require('markdown-it')({
     html: true,
 });
 const htmlToText = require('html-to-text');
+const sanitizeHtml = require('sanitize-html');
 
 let mercury_parser;
 
@@ -353,7 +354,7 @@ module.exports = async (ctx, next) => {
                     for (const item of ctx.state.data.item) {
                         let text;
                         if (item.description) {
-                            text = item.description.replaceAll(/<\/?[^>]+(>|$)/g, '');
+                            text = sanitizeHtml(item.description, { allowedTags: [], allowedAttributes: {} });
                         }
                         if (text?.length) {
                             item.description = text.length > ctx.query.brief ? `<p>${text.substring(0, ctx.query.brief)}…</p>` : `<p>${text}</p>`;

diff --git a/lib/v2/test/index.js b/lib/v2/test/index.js
@@ -223,6 +223,17 @@ module.exports = async (ctx) => {
 
             break;
 
+        case 'brief':
+            item.push({
+                title: '小可愛',
+                description: '<p>宇宙無敵</p><br>'.repeat(1000),
+                link: `/DIYgod/RSSHub/issues/0`,
+                pubDate: new Date(1_546_272_000_000).toUTCString(),
+                author: `DIYgod0`,
+            });
+
+            break;
+
         case 'json':
             item.push(
                 {

diff --git a/test/middleware/parameter.js b/test/middleware/parameter.js
@@ -406,6 +406,17 @@ describe('opencc', () => {
     });
 });
 
+describe('brief', () => {
+    it(`brief`, async () => {
+        const response = await request.get('/test/brief?brief=100');
+        const parsed = await parser.parseString(response.text);
+        expect(parsed.items[0].title).toBe('小可愛');
+        expect(parsed.items[0].content).toBe(
+            '<p>宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵…</p>'
+        );
+    });
+});
+
 describe('multi parameter', () => {
     it(`filter before limit`, async () => {
         const response = await request.get('/test/filter-limit?filterout_title=2&limit=2');