feat(posts): faithful (semantic) HTML rendering of post bodies
Phase 1 of milestone #64. The body is captured (Phase 0) but was shown as plain text. Now: - html_sanitize.py: widen the allowlist to a faithful-but-safe set — headings, inline images, lists, blockquote, hr, code/pre, figure, links (div/span stay stripped; their text is preserved). Benefits the existing ProvenancePanel too. - post_feed_service.get_post: add sanitized `description_html` to the DETAIL response (the feed list stays lightweight plain text by design). - PostCard.vue: render description_html via v-html once expanded (fetched with detail); collapsed + no-detail fallback stay plain text. Styled close to the source (headings, images max-width, accent links, lists, quotes, code). Tests: sanitizer (headings/img/lists survive, img javascript: src dropped); get_post returns sanitized description_html. Refs FC #830. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -8,10 +8,23 @@ bleach is deprecated upstream and intentionally not used.
|
||||
|
||||
import nh3
|
||||
|
||||
# A faithful-but-safe set: enough to reproduce the SEMANTIC look of a scraped
|
||||
# post body (headings, lists, quotes, code, inline images, links, line breaks +
|
||||
# inline emphasis) without layout-injection wrappers. `div`/`span` are
|
||||
# deliberately NOT allowed — their text is preserved by nh3 and they only carry
|
||||
# source-site layout/styling we don't want to import (a test pins this).
|
||||
ALLOWED_TAGS = {
|
||||
"p", "a", "br", "em", "strong", "b", "i", "ul", "ol", "li", "blockquote",
|
||||
"p", "a", "br", "em", "strong", "b", "i", "u", "s",
|
||||
"ul", "ol", "li", "blockquote",
|
||||
"h1", "h2", "h3", "h4", "h5", "h6", "hr",
|
||||
"pre", "code", "img", "figure", "figcaption",
|
||||
}
|
||||
ALLOWED_ATTRIBUTES = {"a": {"href", "title"}}
|
||||
ALLOWED_ATTRIBUTES = {
|
||||
"a": {"href", "title", "target"},
|
||||
"img": {"src", "alt", "title", "width", "height"},
|
||||
}
|
||||
# http/https for hotlinked source images today; relative URLs (e.g. a local
|
||||
# `/api/...` src once inline images are captured) pass through nh3 untouched.
|
||||
ALLOWED_URL_SCHEMES = {"http", "https"}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user