fix(security): simplify attributes merge to prevent future override

The previous Object.fromEntries spread would silently overwrite the
custom abbr attribute list if rehype-sanitize adds abbr to its default
schema in a future version. Simplify to a direct merge.
This commit is contained in:
Leigh Stillard 2026-03-24 01:25:26 +00:00
parent 7d7391416b
commit d6ee7bc320

View file

@ -36,14 +36,8 @@ const sanitizeSchema: SanitizeSchema = {
],
attributes: {
...defaultSchema.attributes,
// Preserve default global attributes
'*': [...(defaultSchema.attributes?.['*'] ?? [])],
// Allow title on abbr (for tooltip definitions)
abbr: ['title'],
// Preserve all existing attribute rules
...Object.fromEntries(
Object.entries(defaultSchema.attributes ?? {}).filter(([k]) => k !== '*')
),
abbr: [...(defaultSchema.attributes?.['abbr'] ?? []), 'title'],
},
};