laxer HTML sanitisation for admin-controlled text - fixes #447

What does this PR do? Allows images and styled links in admin-controlled HTML (instance description, rules). We can allow more things later if needed, in a single place.

I have intentionally not changed the sanitiser used in packages/backend/src/server/api/endpoints/users/report-abuse.ts because that one deals with HTML sent by random users, so we should trust it less.

Also I have not touched packages/frontend/src/components/MkAutocomplete.vue because that's just cleaning up emoji names.

Contribution Guidelines By submitting this merge request, you agree to follow our Contribution Guidelines

• I agree to follow this project's Contribution Guidelines
• I have made sure to test this pull request

requested review from @Amelia, @Leah, and @esm

assigned to @dakkar

I can't check myself right now to see if this is also currently affected, but will this also allow MFM? Since it's possible to just use the same animation CSS style applied to actual posts.

as far as I can see, there's no support for MFM in these fields, they take HTML

you can probably apply the same style values that the MFM "advanced" functions generate… notice that you can do that already, it's only <a> and <img> elements that have a more limited set of allowed attributes, see https://www.npmjs.com/package/sanitize-html#default-options

approved this merge request

added 1 commit

• 1eb1e721 - allow details+summary

Compare with previous version

resolved all threads

reset approvals from @Marie by pushing to the branch

approved this merge request

approved this merge request

enabled an automatic merge when the pipeline for 1eb1e721 succeeds

canceled the automatic merge

merged

mentioned in commit ac9e4733