From b0e6dfd7ddeeaad00a5f64f63aac34b334f88909 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mime=20=C4=8Cuvalo?= <mimecuvalo@gmail.com>
Date: Sun, 28 Apr 2024 10:05:49 +0100
Subject: [PATCH] disallow srcset for feeds for now

---
 util/crawler.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/util/crawler.ts b/util/crawler.ts
index b70523d..0203f82 100644
--- a/util/crawler.ts
+++ b/util/crawler.ts
@@ -45,7 +45,9 @@ export function sanitizeHTML(rawHTML: string) {
     allowedTags: sanitizer.defaults.allowedTags.concat(['img']),
     allowedAttributes: {
       a: ['href', 'name', 'target', 'title'],
-      img: ['src', 'srcset', 'width', 'height', 'alt', 'title'],
+      // N.B. For now we don't allow srcset because sometimes we have relative urls in there
+      // and I don't feel like parsing it right now to add the correct base origin, e.g. kottke.org.
+      img: ['src', 'width', 'height', 'alt', 'title'],
       iframe: ['src', 'width', 'height', 'alt', 'title'],
     },
   });