preventing package@version from being turned into mailto

Author: WilcoSp

server/utils/changelog/markdown.ts

@@ -9,6 +9,8 @@ import {
 } from '../readme'
 import sanitizeHtml from 'sanitize-html'
 
+const EMAIL_REGEX = /^[\w+\-.]+@[\w\-.]+\.[a-z]+$/i
+
 export async function changelogRenderer() {
   const renderer = new marked.Renderer({
     gfm: true,
@@ -21,6 +23,10 @@ export async function changelogRenderer() {
     const titleAttr = title ? ` title="${title}"` : ''
     const plainText = text.replace(/<[^>]*>/g, '').trim()
 
+    if (href.startsWith('mailto:') && !EMAIL_REGEX.test(text)) {
+      return text
+    }
+
     const intermediateTitleAttr = `${` data-title-intermediate="${plainText || title}"`}`
 
     return `<a href="${href}"${titleAttr}${intermediateTitleAttr} target="_blank">${text}</a>`
@@ -105,10 +111,12 @@ export async function changelogRenderer() {
     }
 
     return {
-      html: convertToEmoji(
-        marked.parse(markdown, {
-          renderer,
-        }) as string,
+      html: sanitizeRawHTML(
+        convertToEmoji(
+          marked.parse(markdown, {
+            renderer,
+          }) as string,
+        ),
       ),
       toc,
     }

server/utils/readme.ts

@@ -174,7 +174,7 @@ export const ALLOWED_TAGS = [
 
 export const ALLOWED_ATTR: Record<string, string[]> = {
   '*': ['id'], // Allow id on all tags
-  'a': ['href', 'title', 'target', 'rel'],
+  'a': ['href', 'title', 'target', 'rel', 'class'],
   'img': ['src', 'alt', 'title', 'width', 'height', 'align'],
   'source': ['src', 'srcset', 'type', 'media'],
   'button': ['class', 'title', 'type', 'aria-label', 'data-copy'],