From dd205e849c8c62f342a042953d08462cbfe39b90 Mon Sep 17 00:00:00 2001
From: Brady <thatgravyboat@gmail.com>
Date: Wed, 28 Jun 2023 13:13:25 -0230
Subject: [PATCH] Copy Knossos parser changes to Omorphia (#76)

---
 lib/helpers/parse.js | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/lib/helpers/parse.js b/lib/helpers/parse.js
index 4fc2abc85..861ce9025 100644
--- a/lib/helpers/parse.js
+++ b/lib/helpers/parse.js
@@ -14,14 +14,17 @@ export const configuredXss = new xss.FilterXSS({
     kbd: ['id'],
     input: ['checked', 'disabled', 'type'],
     iframe: ['width', 'height', 'allowfullscreen', 'frameborder', 'start', 'end'],
-    img: [...xss.whiteList.img, 'usemap'],
+    img: [...xss.whiteList.img, 'usemap', 'style'],
     map: ['name'],
     area: [...xss.whiteList.a, 'coords'],
     a: [...xss.whiteList.a, 'rel'],
+    td: [...xss.whiteList.td, 'style'],
+    th: [...xss.whiteList.th, 'style'],
   },
   css: {
     whiteList: {
       'image-rendering': /^pixelated$/,
+      'text-align': /^center|left|right$/,
     },
   },
   onIgnoreTagAttr: (tag, name, value) => {
@@ -50,12 +53,14 @@ export const configuredXss = new xss.FilterXSS({
     }
 
     // For Highlight.JS
-    if (
-      name === 'class' &&
-      ['pre', 'code', 'span'].includes(tag) &&
-      (value.startsWith('hljs-') || value.startsWith('language-'))
-    ) {
-      return name + '="' + xss.escapeAttrValue(value) + '"'
+    if (name === 'class' && ['pre', 'code', 'span'].includes(tag)) {
+      const allowedClasses = []
+      for (const className of value.split(/\s/g)) {
+        if (className.startsWith('hljs-') || className.startsWith('language-')) {
+          allowedClasses.push(className)
+        }
+      }
+      return name + '="' + xss.escapeAttrValue(allowedClasses.join(' ')) + '"'
     }
   },
   safeAttrValue(tag, name, value, cssFilter) {