Copy Knossos parser changes to Omorphia (#76)

lib/helpers/parse.js

@@ -14,14 +14,17 @@ export const configuredXss = new xss.FilterXSS({
     kbd: ['id'],
     input: ['checked', 'disabled', 'type'],
     iframe: ['width', 'height', 'allowfullscreen', 'frameborder', 'start', 'end'],
-    img: [...xss.whiteList.img, 'usemap'],
+    img: [...xss.whiteList.img, 'usemap', 'style'],
     map: ['name'],
     area: [...xss.whiteList.a, 'coords'],
     a: [...xss.whiteList.a, 'rel'],
+    td: [...xss.whiteList.td, 'style'],
+    th: [...xss.whiteList.th, 'style'],
   },
   css: {
     whiteList: {
       'image-rendering': /^pixelated$/,
+      'text-align': /^center|left|right$/,
     },
   },
   onIgnoreTagAttr: (tag, name, value) => {
@@ -50,12 +53,14 @@ export const configuredXss = new xss.FilterXSS({
     }
 
     // For Highlight.JS
-    if (
+    if (name === 'class' && ['pre', 'code', 'span'].includes(tag)) {
-      name === 'class' &&
+      const allowedClasses = []
-      ['pre', 'code', 'span'].includes(tag) &&
+      for (const className of value.split(/\s/g)) {
-      (value.startsWith('hljs-') || value.startsWith('language-'))
+        if (className.startsWith('hljs-') || className.startsWith('language-')) {
-    ) {
+          allowedClasses.push(className)
-      return name + '="' + xss.escapeAttrValue(value) + '"'
+        }
+      }
+      return name + '="' + xss.escapeAttrValue(allowedClasses.join(' ')) + '"'
     }
   },
   safeAttrValue(tag, name, value, cssFilter) {