mirror/aliasvault
1
0
Fork 0
mirror of https://github.com/aliasvault/aliasvault.git synced 2026-02-01 18:02:31 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
c2177d0c8d4fa252e8a063ff0c844cf2c2fb2f90
aliasvault/apps/mobile-app/utils/ConversionUtility.ts
Leendert de Borst 382e2e96fa Improve email viewer content rendering
2026-01-30 21:05:59 +01:00

79 lines
2.7 KiB
TypeScript
Raw Blame History

import sanitizeHtml from 'sanitize-html';
/**
* sanitize-html configuration for email viewing.
* Allows safe HTML elements for email display while blocking XSS vectors.
* Note: Using sanitize-html instead of DOMPurify because React Native
* doesn't have a DOM environment that DOMPurify requires.
*/
const EMAIL_SANITIZER_CONFIG: sanitizeHtml.IOptions = {
// Disable style parsing as it requires PostCSS which doesn't work in React Native
// See: https://github.com/apostrophecms/sanitize-html/issues/547
parseStyleAttributes: false,
allowedTags: [
'div', 'span', 'p', 'br', 'hr',
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'ul', 'ol', 'li',
'table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td',
'a', 'img',
'b', 'i', 'u', 's', 'strike', 'strong', 'em', 'small', 'sub', 'sup',
'blockquote', 'pre', 'code',
'font', 'center'
],
allowedAttributes: {
'*': ['style', 'class', 'id'],
'table': ['width', 'height', 'align', 'valign', 'bgcolor', 'border', 'cellpadding', 'cellspacing'],
'tr': ['align', 'valign', 'bgcolor'],
'th': ['width', 'height', 'align', 'valign', 'bgcolor', 'colspan', 'rowspan'],
'td': ['width', 'height', 'align', 'valign', 'bgcolor', 'colspan', 'rowspan'],
'a': ['href', 'target', 'rel'],
'img': ['src', 'alt', 'title', 'width', 'height'],
'font': ['color', 'face', 'size']
},
allowedSchemes: ['http', 'https', 'mailto'],
// Disable data: URIs for security (can be used for XSS)
allowedSchemesByTag: {
img: ['http', 'https'],
a: ['http', 'https', 'mailto']
}
};
/**
* Utility class for conversion operations.
* TODO: make this a shared utility class in root /core/ folder so we can reuse it between
* browser extension/mobile app and possibly WASM client.
*/
class ConversionUtility {
/**
* Sanitizes HTML content for safe display in email viewers.
* Removes all script tags, event handlers, and other XSS attack vectors.
* @param html The HTML content to sanitize.
* @returns Sanitized HTML safe for display.
*/
public sanitizeHtmlForEmailViewing(html: string): string {
if (!html || html.trim() === '') {
return html;
}
try {
return sanitizeHtml(html, EMAIL_SANITIZER_CONFIG);
} catch (ex) {
console.error(`Error in sanitizeHtmlForEmailViewing: ${ex instanceof Error ? ex.message : String(ex)}`);
// Return empty string on error to prevent potential XSS
return '';
}
}
/**
* Normalize a username by converting it to lowercase and trimming whitespace.
* @param username The username to normalize.
* @returns The normalized username.
*/
public normalizeUsername(username: string): string {
return username.toLowerCase().trim();
}
}
export default new ConversionUtility();
Reference in New Issue View Git Blame Copy Permalink