feat(plugin-git): sanitize commit messages

[pengzhanbo]

Before submitting the PR, please make sure you do the following

• Read the Contributing Guidelines.
• Provide a description in this PR that addresses what the PR is solving. If this PR is going to solve an existing issue, please reference the issue (e.g. close #123).

What is the purpose of this pull request?

• Bug fix
• New feature
• Other

Description

In previous versions, the submission information was rendered using innerHTML, but this could potentially contain illegal HTML structures. Therefore, it was modified to use innerText for rendering. However, this led to issues where content such as #issue within the submission information could not be rendered correctly.

Therefore, use rehype to sanitize commit messages, ensuring that the commit message HTML strings are clean and safe.

Ref:

rehype
rehype-sanitize

Screenshots

Before

After

[Mister-Hope]

I am not familiar with these tool chain, but I have used dom-purify.

If HTML MUST be supported here, the sanitized process requires further discussion.

A general example can be found at https://github.com/walinejs/waline/blob/main/packages/server/src/service/markdown/xss.js

For example:

• form tags like <form> <input> and media tags shall be forbidden, for commit msg, I believe only a small whitelist of tags shall be supported.
• Anything related to style must be forbidden, inducing ID, class and style
• Other attributes that uses may collect data or affecting site behavior shall also be blocked.

[Mister-Hope]

I believe some unit test shall be added in this PR.

We can trust the sanitize process, but we shall focus on other things like style inject.

[pengzhanbo]

Currently, in commit messages, a whitelist mechanism only supports the a, code, em, and strong tags. Among these, the a tag only supports the href, target, and rel attributes, and there is also validation for the value of the href attribute.