fix(security): simplify attributes merge to prevent future override
The previous Object.fromEntries spread would silently overwrite the custom abbr attribute list if rehype-sanitize adds abbr to its default schema in a future version. Simplify to a direct merge.
This commit is contained in:
parent
7d7391416b
commit
d6ee7bc320
1 changed files with 1 additions and 7 deletions
|
|
@ -36,14 +36,8 @@ const sanitizeSchema: SanitizeSchema = {
|
|||
],
|
||||
attributes: {
|
||||
...defaultSchema.attributes,
|
||||
// Preserve default global attributes
|
||||
'*': [...(defaultSchema.attributes?.['*'] ?? [])],
|
||||
// Allow title on abbr (for tooltip definitions)
|
||||
abbr: ['title'],
|
||||
// Preserve all existing attribute rules
|
||||
...Object.fromEntries(
|
||||
Object.entries(defaultSchema.attributes ?? {}).filter(([k]) => k !== '*')
|
||||
),
|
||||
abbr: [...(defaultSchema.attributes?.['abbr'] ?? []), 'title'],
|
||||
},
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue