From 2009a57661c3e0175961e2b18f9450b1abbc1e1a Mon Sep 17 00:00:00 2001
From: rook1e <rook1e404@outlook.com>
Date: Sat, 3 Aug 2024 15:56:19 +0800
Subject: [PATCH] fix: sanitize dom first

---
 frontend/src/routes/items/+page.svelte | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/routes/items/+page.svelte b/frontend/src/routes/items/+page.svelte
index 2d86c8c..8c172b9 100644
--- a/frontend/src/routes/items/+page.svelte
+++ b/frontend/src/routes/items/+page.svelte
@@ -34,7 +34,9 @@
 			{ tag: 'object', attrs: ['data'] }
 		];
 
-		const dom = new DOMParser().parseFromString(content, 'text/html');
+		const cleaned = DOMPurify.sanitize(content, { FORBID_ATTR: ['class', 'style'] });
+
+		const dom = new DOMParser().parseFromString(cleaned, 'text/html');
 		for (const el of elements) {
 			dom.querySelectorAll(el.tag).forEach((v) => {
 				for (const attr of el.attrs) {
@@ -54,14 +56,12 @@
 			}
 		});
 
-		const replaced = new XMLSerializer().serializeToString(dom);
 		// data.content = data.content.replace(/src="(.*?)"/g, (_, match) => {
 		// 	const res = new URL(match, data.link).href;
 		// 	return `src="${res}"`;
 		// });
 
-		// FIX: sanitize should be the first
-		return DOMPurify.sanitize(replaced, { FORBID_ATTR: ['class', 'style'] });
+		return new XMLSerializer().serializeToString(dom);
 	}
 
 	let fixActionbar = true;