210 lines
4.6 KiB
JavaScript
210 lines
4.6 KiB
JavaScript
/**
|
||
* @import {Schema} from 'hast-util-sanitize'
|
||
*/
|
||
|
||
// Couple of ARIA attributes allowed in several, but not all, places.
|
||
const aria = ['ariaDescribedBy', 'ariaLabel', 'ariaLabelledBy']
|
||
|
||
/**
|
||
* Default schema.
|
||
*
|
||
* Follows GitHub style sanitation.
|
||
*
|
||
* @type {Schema}
|
||
*/
|
||
export const defaultSchema = {
|
||
ancestors: {
|
||
tbody: ['table'],
|
||
td: ['table'],
|
||
th: ['table'],
|
||
thead: ['table'],
|
||
tfoot: ['table'],
|
||
tr: ['table']
|
||
},
|
||
attributes: {
|
||
a: [
|
||
...aria,
|
||
// Note: these 3 are used by GFM footnotes, they do work on all links.
|
||
'dataFootnoteBackref',
|
||
'dataFootnoteRef',
|
||
['className', 'data-footnote-backref'],
|
||
'href'
|
||
],
|
||
blockquote: ['cite'],
|
||
// Note: this class is not normally allowed by GH, when manually writing
|
||
// `code` as HTML in markdown, they adds it some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
code: [['className', /^language-./]],
|
||
del: ['cite'],
|
||
div: ['itemScope', 'itemType'],
|
||
dl: [...aria],
|
||
// Note: this is used by GFM footnotes.
|
||
h2: [['className', 'sr-only']],
|
||
img: [...aria, 'longDesc', 'src'],
|
||
// Note: `input` is not normally allowed by GH, when manually writing
|
||
// it in markdown, they add it from tasklists some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
input: [
|
||
['disabled', true],
|
||
['type', 'checkbox']
|
||
],
|
||
ins: ['cite'],
|
||
// Note: this class is not normally allowed by GH, when manually writing
|
||
// `li` as HTML in markdown, they adds it some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
li: [['className', 'task-list-item']],
|
||
// Note: this class is not normally allowed by GH, when manually writing
|
||
// `ol` as HTML in markdown, they adds it some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
ol: [...aria, ['className', 'contains-task-list']],
|
||
q: ['cite'],
|
||
section: ['dataFootnotes', ['className', 'footnotes']],
|
||
source: ['srcSet'],
|
||
summary: [...aria],
|
||
table: [...aria],
|
||
// Note: this class is not normally allowed by GH, when manually writing
|
||
// `ol` as HTML in markdown, they adds it some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
ul: [...aria, ['className', 'contains-task-list']],
|
||
'*': [
|
||
'abbr',
|
||
'accept',
|
||
'acceptCharset',
|
||
'accessKey',
|
||
'action',
|
||
'align',
|
||
'alt',
|
||
'axis',
|
||
'border',
|
||
'cellPadding',
|
||
'cellSpacing',
|
||
'char',
|
||
'charOff',
|
||
'charSet',
|
||
'checked',
|
||
'clear',
|
||
'colSpan',
|
||
'color',
|
||
'cols',
|
||
'compact',
|
||
'coords',
|
||
'dateTime',
|
||
'dir',
|
||
// Note: `disabled` is technically allowed on all elements by GH.
|
||
// But it is useless on everything except `input`.
|
||
// Because `input`s are normally not allowed, but we allow them for
|
||
// checkboxes due to tasklists, we allow `disabled` only there.
|
||
'encType',
|
||
'frame',
|
||
'hSpace',
|
||
'headers',
|
||
'height',
|
||
'hrefLang',
|
||
'htmlFor',
|
||
'id',
|
||
'isMap',
|
||
'itemProp',
|
||
'label',
|
||
'lang',
|
||
'maxLength',
|
||
'media',
|
||
'method',
|
||
'multiple',
|
||
'name',
|
||
'noHref',
|
||
'noShade',
|
||
'noWrap',
|
||
'open',
|
||
'prompt',
|
||
'readOnly',
|
||
'rev',
|
||
'rowSpan',
|
||
'rows',
|
||
'rules',
|
||
'scope',
|
||
'selected',
|
||
'shape',
|
||
'size',
|
||
'span',
|
||
'start',
|
||
'summary',
|
||
'tabIndex',
|
||
'title',
|
||
'useMap',
|
||
'vAlign',
|
||
'value',
|
||
'width'
|
||
]
|
||
},
|
||
clobber: ['ariaDescribedBy', 'ariaLabelledBy', 'id', 'name'],
|
||
clobberPrefix: 'user-content-',
|
||
protocols: {
|
||
cite: ['http', 'https'],
|
||
href: ['http', 'https', 'irc', 'ircs', 'mailto', 'xmpp'],
|
||
longDesc: ['http', 'https'],
|
||
src: ['http', 'https']
|
||
},
|
||
required: {
|
||
input: {disabled: true, type: 'checkbox'}
|
||
},
|
||
strip: ['script'],
|
||
tagNames: [
|
||
'a',
|
||
'b',
|
||
'blockquote',
|
||
'br',
|
||
'code',
|
||
'dd',
|
||
'del',
|
||
'details',
|
||
'div',
|
||
'dl',
|
||
'dt',
|
||
'em',
|
||
'h1',
|
||
'h2',
|
||
'h3',
|
||
'h4',
|
||
'h5',
|
||
'h6',
|
||
'hr',
|
||
'i',
|
||
'img',
|
||
// Note: `input` is not normally allowed by GH, when manually writing
|
||
// it in markdown, they add it from tasklists some other way.
|
||
// We can’t do that, so we have to allow it.
|
||
'input',
|
||
'ins',
|
||
'kbd',
|
||
'li',
|
||
'ol',
|
||
'p',
|
||
'picture',
|
||
'pre',
|
||
'q',
|
||
'rp',
|
||
'rt',
|
||
'ruby',
|
||
's',
|
||
'samp',
|
||
'section',
|
||
'source',
|
||
'span',
|
||
'strike',
|
||
'strong',
|
||
'sub',
|
||
'summary',
|
||
'sup',
|
||
'table',
|
||
'tbody',
|
||
'td',
|
||
'tfoot',
|
||
'th',
|
||
'thead',
|
||
'tr',
|
||
'tt',
|
||
'ul',
|
||
'var'
|
||
]
|
||
}
|