fix: sanitize-html configuration passed in src/posts/parse.js

Cursory review of sanitize-html documentation suggests that the currently-used `globalAttributes` property no longer exists, but was replaced with `nonBooleanAttributes`, likely because the attribute allow-list explicitly applies only to "non-boolean" attributes (e.g. not `checked` or `selected`). Either way it does not likely affect us but is mainly here for future-proofing purposes.
NodeBB · May 23, 2024 · ed3a8da · ed3a8da
1 parent 598c10c
commit ed3a8da
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/src/posts/parse.js b/src/posts/parse.js
@@ -27,13 +27,10 @@ let sanitizeConfig = {
  source: ['type', 'src', 'srcset', 'sizes', 'media', 'height', 'width'],
  embed: ['height', 'src', 'type', 'width'],
  },
- globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
+ nonBooleanAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
  'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',
- 'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',
+ 'tabindex', 'title', 'translate', 'aria-*', 'data-*',
  ],
- allowedClasses: {
- ...sanitize.defaults.allowedClasses,
- },
 };
 
 module.exports = function (Posts) {