fix: use more resilient preexisting stripHtmlTags function

Author: danielroe

server/utils/readme.ts

@@ -3,7 +3,7 @@ import sanitizeHtml from 'sanitize-html'
 import { hasProtocol } from 'ufo'
 import type { ReadmeResponse, TocItem } from '#shared/types/readme'
 import { convertBlobOrFileToRawUrl, type RepositoryInfo } from '#shared/utils/git-providers'
-import { decodeHtmlEntities } from '#shared/utils/html'
+import { decodeHtmlEntities, stripHtmlTags } from '#shared/utils/html'
 import { convertToEmoji } from '#shared/utils/emoji'
 import { toProxiedImageUrl } from '#server/utils/image-proxy'
 
@@ -194,22 +194,6 @@ const ALLOWED_ATTR: Record<string, string[]> = {
   'p': ['align'],
 }
 
-/**
- * Strip all HTML tags from a string, looping until stable to prevent
- * incomplete sanitization from nested/interleaved tags
- * (e.g. `<scr<script>ipt>` → `<script>` after one pass).
- */
-function stripHtmlTags(text: string): string {
-  const tagPattern = /<[^>]*>/g
-  let result = text
-  let previous: string
-  do {
-    previous = result
-    result = result.replace(tagPattern, '')
-  } while (result !== previous)
-  return result
-}
-
 /**
  * Generate a GitHub-style slug from heading text.
  * - Convert to lowercase

shared/utils/html.ts

@@ -12,6 +12,18 @@ export function decodeHtmlEntities(text: string): string {
   return text.replace(/&(?:amp|lt|gt|quot|apos|nbsp|#39);/g, match => htmlEntities[match] || match)
 }
 
+/**
+ * Strip all HTML tags from a string, looping until stable to prevent
+ * incomplete sanitization from nested/interleaved tags
+ * (e.g. `<scr<script>ipt>` → `<script>` after one pass).
+ */
 export function stripHtmlTags(text: string): string {
-  return text.replace(/<[^>]*>/g, '')
+  const tagPattern = /<[^>]*>/g
+  let result = text
+  let previous: string
+  do {
+    previous = result
+    result = result.replace(tagPattern, '')
+  } while (result !== previous)
+  return result
 }