import sanitizeHtml from "sanitize-html";
/**
* Sanitize HTML content to prevent XSS attacks.
*
* Allows standard formatting tags, images, iframes (from specific providers),
* and basic attributes.
*/
export function sanitizeContent(html: string): string {
return sanitizeHtml(html, {
allowedTags: [...sanitizeHtml.defaults.allowedTags, "img", "span", "iframe"],
allowedAttributes: {
...sanitizeHtml.defaults.allowedAttributes,
"*": ["class", "id", "data-*"],
iframe: ["src", "width", "height", "frameborder", "allow", "allowfullscreen"],
img: ["src", "srcset", "alt", "title", "width", "height", "loading"],
},
allowedIframeHostnames: ["www.youtube.com", "player.vimeo.com"],
});
}