docs: README dompurify note; fix: sanitize plaintext names in booking emails; feat: use sanitizePhone in email templates; feat: extend sanitizeHtml allowed tags and URL allowlist

2025-10-06 13:31:53 +02:00
parent df26c7da6b
commit 90029f4b6a
7 changed files with 250 additions and 79 deletions
--- a/src/server/lib/sanitize.ts
+++ b/src/server/lib/sanitize.ts
@@ -0,0 +1,37 @@
+import DOMPurify from "isomorphic-dompurify";
+
+/**
+ * Sanitize plain text inputs by stripping all HTML tags.
+ * Use for names, phone numbers, and simple text fields.
+ */
+export function sanitizeText(input: string | undefined): string {
+  if (!input) return "";
+  const cleaned = DOMPurify.sanitize(input, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
+  return cleaned.trim();
+}
+
+/**
+ * Sanitize rich text notes allowing only a minimal, safe subset of tags.
+ * Use for free-form notes or comments where basic formatting is acceptable.
+ */
+export function sanitizeHtml(input: string | undefined): string {
+  if (!input) return "";
+  const cleaned = DOMPurify.sanitize(input, {
+    ALLOWED_TAGS: ["br", "p", "strong", "em", "u", "a", "ul", "li"],
+    ALLOWED_ATTR: ["href", "title", "target", "rel"],
+    ALLOWED_URI_REGEXP: /^(?:https?:)?\/\//i,
+    KEEP_CONTENT: true,
+  });
+  return cleaned.trim();
+}
+
+/**
+ * Sanitize phone numbers by stripping HTML and keeping only digits and a few symbols.
+ * Allowed characters: digits, +, -, (, ), and spaces.
+ */
+export function sanitizePhone(input: string | undefined): string {
+  const text = sanitizeText(input);
+  return text.replace(/[^0-9+\-()\s]/g, "");
+}
+
+