Sanitize oembed html

src/deps.ts

@@ -34,3 +34,5 @@ export { default as mime } from 'npm:mime@^3.0.0';
 export { unfurl } from 'npm:unfurl.js@^6.3.2';
 export { default as TTLCache } from 'npm:@isaacs/ttlcache@^1.4.0';
 export { default as uuid62 } from 'npm:uuid62@^1.0.2';
+// @deno-types="npm:@types/sanitize-html@2.9.0"
+export { default as sanitizeHtml } from 'npm:sanitize-html@^2.10.0';

src/transmute.ts

@@ -1,4 +1,4 @@
-import { findReplyTag, lodash, nip19, TTLCache, unfurl, z } from '@/deps.ts';
+import { findReplyTag, lodash, nip19, sanitizeHtml, TTLCache, unfurl, z } from '@/deps.ts';
 import { type Event } from '@/event.ts';
 import { emojiTagSchema, filteredArray, type MetaContent, parseMetaContent } from '@/schema.ts';
 
@@ -211,7 +211,12 @@ async function unfurlCard(url: string): Promise<PreviewCard | null> {
       provider_name: result.oEmbed?.provider_name || '',
       provider_url: result.oEmbed?.provider_url || '',
       // @ts-expect-error `html` does in fact exist on oEmbed.
-      html: result.oEmbed?.html || '',
+      html: sanitizeHtml(result.oEmbed?.html || '', {
+        allowedTags: ['iframe'],
+        allowedAttributes: {
+          iframe: ['width', 'height', 'src', 'frameborder', 'allowfullscreen'],
+        },
+      }),
       width: result.oEmbed?.width || 0,
       height: result.oEmbed?.height || 0,
       image: result.oEmbed?.thumbnails?.[0].url || result.open_graph.images?.[0].url || null,