more sensible html sanitisation

Thanks to sodiboo on Discord, I realised that sanitizeHtml doesn't work the way I thought…

I thought that all attributes listed in nonBooleanAttributes were allowed (don't ask why, my brain is weird), but that's not true, nonBooleanAttributes are just "attributes that should have a value", it's got nothing to do with allow/deny.

Also, we have 2 uses for sanitizeHtml:

• stopping admins from breaking things (via instance description, server rules)
• stopping users from breaking things (via abuse report comments)

so:

• split sanitizeHtml into lax & strict functions
• "strict" should use pretty much the default settings (no media, no styles)
• "lax" should be like it's now, but with allowedAttributes: { ...original.defaults.allowedAttributes, '*': (original.defaults.allowedAttributes['*'] || []).concat(['style']) } or something like that
• use the strict version in packages/backend/src/server/api/endpoints/users/report-abuse.ts
• use the lax version elsewhere

added bug label

assigned to @dakkar

mentioned in commit ae2fde29

mentioned in merge request !862 (merged)

added in review label

removed in review label

the backend is now (2024.11) using the default sanitizeHtml in AbuseReportNotificationService, so we probably don't need to touch that

mentioned in commit 9d6504c2

mentioned in merge request !863 (merged)

added in review label

mentioned in commit 36b7572b

closed with commit 9d6504c2