Fix HTML exploit of the day (shout-float in rich media)

fix classes and style not being stripped from rich content.

src/components/rich_content/rich_content.jsx

@@ -150,6 +150,7 @@ export default {
       if (Array.isArray(item)) {
         const [opener, children, closer] = item
         const Tag = getTagName(opener)
+        const fullAttrs = getAttrs(opener, () => true)
         const attrs = getAttrs(opener)
         const previouslyMentions = currentMentions !== null
         /* During grouping of mentions we trim all the empty text elements
@@ -171,7 +172,7 @@ export default {
             return ['', [mentionsLinePadding, renderImage(opener)], '']
           case 'a': // replace mentions with MentionLink
             if (!this.handleLinks) break
-            if (attrs['class'] && attrs['class'].includes('mention')) {
+            if (fullAttrs.class && fullAttrs.class.includes('mention')) {
               // Handling mentions here
               return renderMention(attrs, children)
             } else {
@@ -179,7 +180,7 @@ export default {
               break
             }
           case 'span':
-            if (this.handleLinks && attrs['class'] && attrs['class'].includes('h-card')) {
+            if (this.handleLinks && fullAttrs.class && fullAttrs.class.includes('h-card')) {
               return ['', children.map(processItem), '']
             }
         }
@@ -213,13 +214,14 @@ export default {
         const [opener, children] = item
         const Tag = opener === '' ? '' : getTagName(opener)
         switch (Tag) {
-          case 'a': // replace mentions with MentionLink
+          case 'a': { // replace mentions with MentionLink
             if (!this.handleLinks) break
-            const attrs = getAttrs(opener)
+            const fullAttrs = getAttrs(opener, () => true)
+            const attrs = getAttrs(opener, () => true)
             // should only be this
             if (
-              (attrs['class'] && attrs['class'].includes('hashtag')) || // Pleroma style
-                (attrs['rel'] === 'tag') // Mastodon style
+              (fullAttrs.class && fullAttrs.class.includes('hashtag')) || // Pleroma style
+                (fullAttrs.rel === 'tag') // Mastodon style
             ) {
               return renderHashtag(attrs, children, encounteredTextReverse)
             } else {
@@ -230,6 +232,7 @@ export default {
                 { newChildren }
               </a>
             }
+          }
           case '':
             return [...children].reverse().map(processItemReverse).reverse()
         }