your personal website on atproto - mirror
blento.app
flo-bit.dev
1import { browser } from '$app/environment';
2
3// Lightweight regex-based sanitizer for SSR in Cloudflare Workers
4// where DOMPurify is not available. Strips common XSS vectors.
5function regexSanitize(html: string): string {
6 return html
7 .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script\s*>/gi, '')
8 .replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe\s*>/gi, '')
9 .replace(/<object\b[^<]*(?:(?!<\/object>)<[^<]*)*<\/object\s*>/gi, '')
10 .replace(/<embed\b[^>]*\/?>/gi, '')
11 .replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style\s*>/gi, '')
12 .replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/gi, '')
13 .replace(/href\s*=\s*["']?\s*javascript\s*:/gi, 'href="')
14 .replace(/src\s*=\s*["']?\s*javascript\s*:/gi, 'src="');
15}
16
17let _purify: ((html: string, config?: { ADD_ATTR?: string[] }) => string) | null = null;
18
19if (browser) {
20 import('dompurify').then((mod) => {
21 _purify = (html, config) => mod.default.sanitize(html, config) as string;
22 });
23}
24
25export function sanitize(dirty: string, config?: { ADD_ATTR?: string[] }): string {
26 if (_purify) {
27 return _purify(dirty, config);
28 }
29 return regexSanitize(dirty);
30}