From d1b3e161dc1603ebbe95ceca4d148a0cc7875f33 Mon Sep 17 00:00:00 2001
From: Tony <TonyRL@users.noreply.github.com>
Date: Tue, 23 Jan 2024 18:40:11 +0000
Subject: [PATCH] fix: use sanitize-html (#14312)

* fix: use sanitize-html

* test: add brief test
---
 lib/middleware/parameter.js  |  3 ++-
 lib/v2/test/index.js         | 11 +++++++++++
 test/middleware/parameter.js | 11 +++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/lib/middleware/parameter.js b/lib/middleware/parameter.js
index 86f5fa85ee6b3a..5bcfbe14fc5ae2 100644
--- a/lib/middleware/parameter.js
+++ b/lib/middleware/parameter.js
@@ -8,6 +8,7 @@ const md = require('markdown-it')({
     html: true,
 });
 const htmlToText = require('html-to-text');
+const sanitizeHtml = require('sanitize-html');
 
 let mercury_parser;
 
@@ -353,7 +354,7 @@ module.exports = async (ctx, next) => {
                     for (const item of ctx.state.data.item) {
                         let text;
                         if (item.description) {
-                            text = item.description.replaceAll(/<\/?[^>]+(>|$)/g, '');
+                            text = sanitizeHtml(item.description, { allowedTags: [], allowedAttributes: {} });
                         }
                         if (text?.length) {
                             item.description = text.length > ctx.query.brief ? `<p>${text.substring(0, ctx.query.brief)}…</p>` : `<p>${text}</p>`;
diff --git a/lib/v2/test/index.js b/lib/v2/test/index.js
index 18def475af352b..c79739db216008 100644
--- a/lib/v2/test/index.js
+++ b/lib/v2/test/index.js
@@ -223,6 +223,17 @@ module.exports = async (ctx) => {
 
             break;
 
+        case 'brief':
+            item.push({
+                title: '小可愛',
+                description: '<p>宇宙無敵</p><br>'.repeat(1000),
+                link: `/DIYgod/RSSHub/issues/0`,
+                pubDate: new Date(1_546_272_000_000).toUTCString(),
+                author: `DIYgod0`,
+            });
+
+            break;
+
         case 'json':
             item.push(
                 {
diff --git a/test/middleware/parameter.js b/test/middleware/parameter.js
index af84b8ac7ebd77..c4ca70318a02bd 100644
--- a/test/middleware/parameter.js
+++ b/test/middleware/parameter.js
@@ -406,6 +406,17 @@ describe('opencc', () => {
     });
 });
 
+describe('brief', () => {
+    it(`brief`, async () => {
+        const response = await request.get('/test/brief?brief=100');
+        const parsed = await parser.parseString(response.text);
+        expect(parsed.items[0].title).toBe('小可愛');
+        expect(parsed.items[0].content).toBe(
+            '<p>宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵宇宙無敵…</p>'
+        );
+    });
+});
+
 describe('multi parameter', () => {
     it(`filter before limit`, async () => {
         const response = await request.get('/test/filter-limit?filterout_title=2&limit=2');