feat: add social media feed integration with multi-platform support by dzienisz · Pull Request #299 · naugtur/meetjs.pl

dzienisz · 2025-10-29T13:50:08Z

Added configuration for Bluesky, Twitter, and LinkedIn social feed integration in .env.example
Created comprehensive setup documentation for each social platform (SOCIAL_FEED_SETUP.md, BLUESKY_SETUP.md)
Added translations for social feed UI components in English and Polish
Configured image domains for Mastodon instances in next.config.ts
Added @atproto/api dependency for Bluesky integration

- Added configuration for Bluesky, Twitter, and LinkedIn social feed integration in .env.example - Created comprehensive setup documentation for each social platform (SOCIAL_FEED_SETUP.md, BLUESKY_SETUP.md) - Added translations for social feed UI components in English and Polish - Configured image domains for Mastodon instances in next.config.ts - Added @atproto/api dependency for Bluesky integration

vercel · 2025-10-29T13:50:12Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
website	Ready	Preview	Comment	Oct 29, 2025 1:51pm

socket-security · 2025-10-29T13:50:43Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@atproto/api@0.17.5

View full report

+  return html
+    .replace(/<br\s*\/?>/gi, '\n')
+    .replace(/<\/p>/gi, '\n\n')
+    .replace(/<[^>]*>/g, '')
+    .replace(/&nbsp;/g, ' ')
+    .replace(/&amp;/g, '&')


To fix the problem, we need to change the order in which HTML entities are unescaped in the stripHtml function. Specifically, the ampersand entity (&) must be replaced after all other entities ( , <, >, "). This prevents double-unescaping, where replacing & first could expose further entities that then get unescaped a second time. To implement this, edit src/lib/social.ts function stripHtml at lines 269–280, moving the .replace(/&/g, '&') call after all other .replace() lines.

No additional imports or method definitions are needed, as this is a pure string manipulation.

+  return html
+    .replace(/<br\s*\/?>/gi, '\n')
+    .replace(/<\/p>/gi, '\n\n')
+    .replace(/<[^>]*>/g, '')


The best way to fix the problem is to robustly sanitize the input and ensure no instances of dangerous tags (such as <script>, or angle brackets left over from incomplete tag removal) remain.

Preferably, use a well-known and maintained sanitization library, such as sanitize-html. This will handle complex/on-the-edge cases and keep the code maintainable and secure.

If not introducing a dependency, apply the regular expression replacements repeatedly (in a loop), so that if tag removal exposes further tags or unmatched brackets, those are also removed.

As an additional precaution, after stripping HTML tags, remove any residual < or > characters.

Edit only the stripHtml function in src/lib/social.ts (lines 269-280). If a library is used, import it at the top of the file.

If you are allowed to add the sanitize-html library, use that. Otherwise, as seen in the background, apply .replace() repeatedly until no changes occur, and finally remove any stray < or >.

vercel Bot deployed to Preview – website October 29, 2025 13:51 View deployment

github-advanced-security AI found potential problems Oct 29, 2025

View reviewed changes

dzienisz self-assigned this Oct 30, 2025

dzienisz requested review from Eghizio, fricze, naugtur and ssynowiec October 30, 2025 14:38

@@ -266,17 +266,18 @@
             /**
              * Strips HTML tags from text
              */
+            import sanitizeHtml from 'sanitize-html';
             function stripHtml(html: string): string {
-              return html
-                .replace(/<br\s*\/?>/gi, '\n')
-                .replace(/<\/p>/gi, '\n\n')
-                .replace(/<[^>]*>/g, '')
-                .replace(/&nbsp;/g, ' ')
-                .replace(/&amp;/g, '&')
-                .replace(/&lt;/g, '<')
-                .replace(/&gt;/g, '>')
-                .replace(/&quot;/g, '"')
-                .trim();
+              // Remove all HTML tags and entities robustly
+              return sanitizeHtml(html, {
+                allowedTags: [], // Remove all tags
+                allowedAttributes: {},
+                textFilter: function(text) {
+                  // Remove any residual < or > which might have slipped through
+                  return text.replace(/[<>]/g, '');
+                }
+              }).trim();
             }
             /**

@@ -88,7 +88,8 @@
                 "react-icons": "^5.5.0",
                 "tailwind-merge": "^2.5.2",
                 "tailwindcss-animate": "^1.0.7",
-                "zod": "^3.24.2"
+                "zod": "^3.24.2",
+                "sanitize-html": "^2.17.0"
               },
               "devDependencies": {
                 "@eslint/eslintrc": "^3.3.1",

Package	Version	Security advisories
sanitize-html (npm)	2.17.0	None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add social media feed integration with multi-platform support#299

feat: add social media feed integration with multi-platform support#299
dzienisz wants to merge 1 commit intomainfrom
feat/social

dzienisz commented Oct 29, 2025

Uh oh!

vercel Bot commented Oct 29, 2025 •

edited

Loading

Uh oh!

socket-security Bot commented Oct 29, 2025

Uh oh!

Check failure

Copilot Autofix

Check failure

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dzienisz commented Oct 29, 2025

Uh oh!

vercel Bot commented Oct 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Oct 29, 2025

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

vercel Bot commented Oct 29, 2025 •

edited

Loading