Hartmut
1833182e90
- blueprint rolePresets: cap array at 100 items to prevent storage abuse - notification CreateManagedNotification: add .max() on title (500), body (2000), type (100), entityType/entityId (200), link (1000), taskAction (200) - settings: add .max() on all string config fields; add regex allowlist (/^[a-zA-Z0-9._-]+$/) on model name fields (geminiModel, azureDalleDeployment, azureOpenAiDeployment) to prevent path manipulation - sanitizeHtml: fix SSR bypass — server-side branch now strips HTML tags instead of returning the raw string unchanged Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
15 lines
482 B
TypeScript
15 lines
482 B
TypeScript
import DOMPurify from "dompurify";
|
|
|
|
/**
|
|
* Strip all HTML tags and attributes from a string.
|
|
* Returns plain text only (no tags, no attributes).
|
|
* SSR-safe: returns the input unchanged on the server.
|
|
*/
|
|
export function sanitizeHtml(dirty: string): string {
|
|
if (typeof window === "undefined") {
|
|
// Server-side: strip all HTML tags as a safe fallback
|
|
return dirty.replace(/<[^>]*>/g, "");
|
|
}
|
|
return DOMPurify.sanitize(dirty, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
|
|
}
|