From 8d248bc32fa18e4bc9c26fabf603fdaadc45963c Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Wed, 8 Jan 2020 14:25:46 +0100
Subject: Extract HTML sanitizer to its own file

---
 plugins/base/routes.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

(limited to 'plugins/base/routes.go')

diff --git a/plugins/base/routes.go b/plugins/base/routes.go
index a5c6c21..798615f 100644
--- a/plugins/base/routes.go
+++ b/plugins/base/routes.go
@@ -16,7 +16,6 @@ import (
 	"github.com/emersion/go-message"
 	"github.com/emersion/go-smtp"
 	"github.com/labstack/echo/v4"
-	"github.com/microcosm-cc/bluemonday"
 )
 
 func registerRoutes(p *koushin.GoPlugin) {
@@ -246,12 +245,7 @@ func handleGetPart(ctx *koushin.Context, raw bool) error {
 
 	isHTML := false
 	if strings.EqualFold(mimeType, "text/html") {
-		p := bluemonday.UGCPolicy()
-		// TODO: be more strict
-		p.AllowElements("style")
-		p.AllowAttrs("style")
-		p.AddTargetBlankToFullyQualifiedLinks(true)
-		body = p.Sanitize(body)
+		body = sanitizeHTML(body)
 		isHTML = true
 	}
 
-- 
cgit v1.2.3-59-g8ed1b