Extract HTML sanitizer to its own file

plugins/base/routes.go

@@ -16,7 +16,6 @@ import (
 	"github.com/emersion/go-message"
 	"github.com/emersion/go-smtp"
 	"github.com/labstack/echo/v4"
-	"github.com/microcosm-cc/bluemonday"
 )
 
 func registerRoutes(p *koushin.GoPlugin) {
@@ -246,12 +245,7 @@ func handleGetPart(ctx *koushin.Context, raw bool) error {
 
 	isHTML := false
 	if strings.EqualFold(mimeType, "text/html") {
-		p := bluemonday.UGCPolicy()
-		// TODO: be more strict
-		p.AllowElements("style")
-		p.AllowAttrs("style")
-		p.AddTargetBlankToFullyQualifiedLinks(true)
-		body = p.Sanitize(body)
+		body = sanitizeHTML(body)
 		isHTML = true
 	}
 

plugins/base/sanitize_html.go

@@ -0,0 +1,18 @@
+package koushinbase
+
+import (
+	"github.com/microcosm-cc/bluemonday"
+)
+
+func sanitizeHTML(b string) string {
+	p := bluemonday.UGCPolicy()
+
+	// TODO: be more strict
+	p.AllowElements("style")
+	p.AllowAttrs("style")
+
+	p.AddTargetBlankToFullyQualifiedLinks(true)
+	p.RequireNoFollowOnLinks(true)
+
+	return p.Sanitize(b)
+}