Updated XSS

src/middleware/xssMiddleware.js

@@ -92,15 +92,18 @@ function clean (dirty) {
   // remove empty html tags and duplicated linebreaks and returns
   dirty = dirty
     // remove all tags with "space only"
-    .replace(/<[a-z]>[\s]*<\/[a-z]>/igm, '')
+    .replace(/<[a-z-]+>[\s]+<\/[a-z-]+>/gim, '')
     // remove all iframes
-    .replace(/(<iframe(?!.*?src=(['"]).*?\2)[^>]*)(>)[^>]*\/*>/igm, '')
+    .replace(
-    .replace(/[\n]{3,}/igm, '\n\n')
+      /(<iframe(?!.*?src=(['"]).*?\2)[^>]*)(>)[^>]*\/*>/gim,
-    .replace(/(\r\n|\n\r|\r|\n)/g, '<br>$1')
+      ''
+    )
+    .replace(/[\n]{3,}/gim, '\n\n')
+    .replace(/(\r\n|\n\r|\r|\n)/g, '<br>')
 
     // replace all p tags with line breaks (and spaces) only by single linebreaks
     // limit linebreaks to max 2 (equivalent to html "br" linebreak)
-    .replace(/(<br ?\/?>\s*){2,}/gim, '<br/>')
+    .replace(/(<br ?\/?>\s*){2,}/gim, '<br>')
     // remove additional linebreaks after p tags
     .replace(
       /<\/(p|div|th|tr)>\s*(<br ?\/?>\s*)+\s*<(p|div|th|tr)>/gim,
@@ -108,9 +111,13 @@ function clean (dirty) {
     )
     // remove additional linebreaks inside p tags
     .replace(
-      /<(p|div|th|tr)>\s*(<br ?\/?>\s*)+\s*<\/(p|div|th|tr)>/gim,
+      /<[a-z-]+>(<[a-z-]+>)*\s*(<br ?\/?>\s*)+\s*(<\/[a-z-]+>)*<\/[a-z-]+>/gim,
       ''
     )
+    // remove additional linebreaks when first child inside p tags
+    .replace(/<p>(\s*<br ?\/?>\s*)+/gim, '<p>')
+    // remove additional linebreaks when last child inside p tags
+    .replace(/(\s*<br ?\/?>\s*)+<\/p+>/gim, '</p>')
   return dirty
 }