use dompurify instead of sanitize-html

server/helpers.js

@@ -4,7 +4,40 @@ const moment = require('moment-timezone')
 const config = require('config')
 const pkg = require('../package.json')
 
+const DOMPurify = require('dompurify')
+const { JSDOM } = require('jsdom')
+const { window } = new JSDOM('<!DOCTYPE html>')
+const domPurify = DOMPurify(window)
+const URL = require('url')
+
+domPurify.addHook('beforeSanitizeElements', node => {
+  if (node.hasAttribute && node.hasAttribute('href')) {
+    const href = node.getAttribute('href')
+    const text = node.textContent
+    if (href.includes('fbclid=')) {
+      try {
+        const url = new URL.URL(href)
+        url.searchParams.delete('fbclid')
+        node.setAttribute('href', url.href)
+        if (text.includes('fbclid=')) {
+          node.textContent = url.href
+        }
+      } catch (e) {
+        return node
+      }
+    }
+  }
+  return node
+})
+
 module.exports = {
+  sanitizeHTML (html) {
+    return domPurify.sanitize(html, {
+      ALLOWED_TAGS: ['p', 'h1', 'h2', 'h3', 'h4', 'h5',
+        'h6', 'b', 'a', 'li', 'ul', 'ol', 'code', 'blockquote', 'u', 's', 'strong'],
+      ALLOWED_ATTR: ['href']
+    })
+  },
 
   async initSettings (req, res, next) {
     await settingsController.load()