Add disallowedTagsMode option

licitdev · Sep 18, 2022 · 46533b2 · 46533b2
1 parent fc0e69a
commit 46533b2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -29,14 +29,22 @@ Defaults to no path to omit.
 
 Example: `articles.content,website.rawHtml`
 
-###
+### Customize which HTML tags are allowed
 
 Add the `EXT_SANITIZE_HTML_ALLOWED_TAGS` environment variable with the `<html-tag>` separated by commas.
 
 Defaults to `undefined`, using the defaults from `sanitize-html`.
 
 Example: `a,b,i,em,strong`
 
+### Customize the action taken for disallowed tags
+
+Add the `EXT_SANITIZE_HTML_DISALLOWED_TAGS_MODE` environment variable with `discard`, `escape` or `recursiveEscape`.
+
+Defaults to `undefined`, using the defaults from `sanitize-html`.
+
+Example: `escape`
+
 ## License
 
 GPLv3 License. See the [LICENSE](LICENSE) file.

diff --git a/src/index.ts b/src/index.ts
@@ -22,6 +22,12 @@ export default defineHook(({ filter }) => {
 		? process.env.EXT_SANITIZE_HTML_ALLOWED_TAGS.split(',')
 		: undefined;
 
+	const disallowedTagsMode = process.env.EXT_SANITIZE_HTML_DISALLOWED_TAGS_MODE
+		? ['discard', 'escape', 'recursiveEscape'].includes(process.env.EXT_SANITIZE_HTML_DISALLOWED_TAGS_MODE)
+			? (process.env.EXT_SANITIZE_HTML_DISALLOWED_TAGS_MODE as sanitizeHtml.DisallowedTagsModes)
+			: undefined
+		: undefined;
+
 	for (const eventScope of eventScopes) {
 		filter(eventScope, runSanitize);
 	}
@@ -47,7 +53,7 @@ export default defineHook(({ filter }) => {
 	function sanitize(val: any) {
 		switch (typeof val) {
 			case 'string':
-				return sanitizeHtml(val, { allowedTags });
+				return sanitizeHtml(val, { allowedTags, disallowedTagsMode });
 			case 'object':
 				if (Array.isArray(val)) {
 					for (let i = 0; i < val.length; i++) {