Add basic html sanitization

Author: JoannaaKL

pkg/github/issues.go

@@ -212,15 +212,15 @@ func fragmentToIssue(fragment IssueFragment) *github.Issue {
 
 	return &github.Issue{
 		Number:    github.Ptr(int(fragment.Number)),
-		Title:     github.Ptr(sanitize.FilterInvisibleCharacters(string(fragment.Title))),
+		Title:     github.Ptr(sanitize.Sanitize(string(fragment.Title))),
 		CreatedAt: &github.Timestamp{Time: fragment.CreatedAt.Time},
 		UpdatedAt: &github.Timestamp{Time: fragment.UpdatedAt.Time},
 		User: &github.User{
 			Login: github.Ptr(string(fragment.Author.Login)),
 		},
 		State:    github.Ptr(string(fragment.State)),
 		ID:       github.Ptr(fragment.DatabaseID),
-		Body:     github.Ptr(sanitize.FilterInvisibleCharacters(string(fragment.Body))),
+		Body:     github.Ptr(sanitize.Sanitize(string(fragment.Body))),
 		Labels:   foundLabels,
 		Comments: github.Ptr(int(fragment.Comments.TotalCount)),
 	}
@@ -327,10 +327,10 @@ func GetIssue(ctx context.Context, client *github.Client, owner string, repo str
 	// Sanitize title/body on response
 	if issue != nil {
 		if issue.Title != nil {
-			issue.Title = github.Ptr(sanitize.FilterInvisibleCharacters(*issue.Title))
+			issue.Title = github.Ptr(sanitize.Sanitize(*issue.Title))
 		}
 		if issue.Body != nil {
-			issue.Body = github.Ptr(sanitize.FilterInvisibleCharacters(*issue.Body))
+			issue.Body = github.Ptr(sanitize.Sanitize(*issue.Body))
 		}
 	}
 

pkg/github/pullrequests.go

@@ -127,10 +127,10 @@ func GetPullRequest(ctx context.Context, client *github.Client, owner, repo stri
 	// sanitize title/body on response
 	if pr != nil {
 		if pr.Title != nil {
-			pr.Title = github.Ptr(sanitize.FilterInvisibleCharacters(*pr.Title))
+			pr.Title = github.Ptr(sanitize.Sanitize(*pr.Title))
 		}
 		if pr.Body != nil {
-			pr.Body = github.Ptr(sanitize.FilterInvisibleCharacters(*pr.Body))
+			pr.Body = github.Ptr(sanitize.Sanitize(*pr.Body))
 		}
 	}
 
@@ -821,10 +821,10 @@ func ListPullRequests(getClient GetClientFn, t translations.TranslationHelperFun
 					continue
 				}
 				if pr.Title != nil {
-					pr.Title = github.Ptr(sanitize.FilterInvisibleCharacters(*pr.Title))
+					pr.Title = github.Ptr(sanitize.Sanitize(*pr.Title))
 				}
 				if pr.Body != nil {
-					pr.Body = github.Ptr(sanitize.FilterInvisibleCharacters(*pr.Body))
+					pr.Body = github.Ptr(sanitize.Sanitize(*pr.Body))
 				}
 			}
 

pkg/sanitize/sanitize.go

@@ -4,20 +4,10 @@ import (
 	"github.com/microcosm-cc/bluemonday"
 )
 
-type ContentFilter struct {
-	HTMLPolicy *bluemonday.Policy
-}
-
-func NewContentFilter() *ContentFilter {
-	p := bluemonday.NewPolicy()
-	p.AllowElements("b", "blockquote", "br", "code", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "li", "ol", "p", "pre", "strong", "sub", "sup", "table", "tbody", "td", "th", "thead", "tr", "ul")
-	p.AllowAttrs("img", "a")
-	p.AllowAttrs()
-	p.AllowURLSchemes("https")
+var policy *bluemonday.Policy
 
-	return &ContentFilter{
-		HTMLPolicy: p,
-	}
+func Sanitize(input string) string {
+	return FilterHTMLTags(FilterInvisibleCharacters(input))
 }
 
 // FilterInvisibleCharacters removes invisible or control characters that should not appear
@@ -40,11 +30,25 @@ func FilterInvisibleCharacters(input string) string {
 	return string(out)
 }
 
-func (cf *ContentFilter) FilterHtmlTags(input string) string {
+func FilterHTMLTags(input string) string {
+	if policy == nil {
+		policyInit()
+	}
 	if input == "" {
 		return input
 	}
-	return cf.HTMLPolicy.Sanitize(input)
+	return policy.Sanitize(input)
+}
+
+func policyInit() {
+	if policy != nil {
+		return
+	}
+	policy = bluemonday.StrictPolicy()
+	policy.AllowElements("b", "blockquote", "br", "code", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "li", "ol", "p", "pre", "strong", "sub", "sup", "table", "tbody", "td", "th", "thead", "tr", "ul")
+	policy.AllowAttrs("img", "a")
+	policy.AllowURLSchemes("https")
+	policy.AllowImages()
 }
 
 func shouldRemoveRune(r rune) bool {

pkg/sanitize/sanitize_test.go

@@ -186,3 +186,64 @@ func TestShouldRemoveRune(t *testing.T) {
 		})
 	}
 }
+
+func TestFilterHtmlTags(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "allowed simple tags preserved",
+			input:    "<b>bold</b>",
+			expected: "<b>bold</b>",
+		},
+		{
+			name:     "multiple allowed tags",
+			input:    "<b>bold</b> and <em>italic</em>",
+			expected: "<b>bold</b> and <em>italic</em>",
+		},
+		{
+			name:     "code tag preserved",
+			input:    "<code>fmt.Println(\"hi\")</code>",
+			expected: "<code>fmt.Println(&#34;hi&#34;)</code>", // quotes are escaped by sanitizer
+		},
+		{
+			name:     "disallowed script removed entirely",
+			input:    "<script>alert(1)</script>",
+			expected: "", // StrictPolicy should drop script element and contents
+		},
+		{
+			name:     "anchor removed but inner text kept",
+			input:    "Click <a href='https://example.com'>here</a> now",
+			expected: "Click here now",
+		},
+		{
+			name:     "image removed (no textual fallback)",
+			input:    "<img src='x' alt='y'>",
+			expected: "<img src=\"x\" alt=\"y\">", // images are allowed via AllowImages()
+		},
+		{
+			name:     "mixed allowed and disallowed",
+			input:    "<b>bold</b> <script>alert(1)</script> <em>italic</em>",
+			expected: "<b>bold</b>  <em>italic</em>",
+		},
+		{
+			name:     "idempotent sanitization",
+			input:    FilterHTMLTags("<b>bold</b> and <em>italic</em>"),
+			expected: "<b>bold</b> and <em>italic</em>",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := FilterHTMLTags(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}