fix: don't normalize html by default

it breaks remote posts a little and frontend sanitizes again anyway so
might as well store the original stuff they serve us? could be malicious
tho, if FE doesn't sanitize again could lead to stored XSS, maybe
reconsider?

upub/core/Cargo.toml

@@ -25,7 +25,6 @@ serde_json = "1"
 serde_default = "0.1"
 serde-inline-default = "0.2"
 toml = "0.8"
-mdhtml = { path = "../../utils/mdhtml", features = ["markdown"] }
 uriproxy = { path = "../../utils/uriproxy" }
 httpsign = { path = "../../utils/httpsign/" }
 jrd = "0.1"

upub/core/src/traits/normalize.rs

@@ -25,10 +25,10 @@ impl Normalizer for crate::Context {
 	async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result<crate::model::object::Model, NormalizerError> {
 		let mut object_model = AP::object(&object)?;
 
-		// make sure content only contains a safe subset of html
-		if let Some(content) = object_model.content {
-			object_model.content = Some(mdhtml::safe_html(&content));
-		}
+		// TOO should we make sure content only contains a safe subset of html ? frontend does it too
+		// if let Some(content) = object_model.content {
+		//	object_model.content = Some(mdhtml::safe_html(&content));
+		// }
 
 		// fix context for remote posts
 		// > if any link is broken or we get rate limited, the whole insertion fails which is

utils/mdhtml/lib.rs

@@ -56,6 +56,7 @@ impl TokenSink for Sink {
 								match attr.name.local.as_ref() {
 									"href" => self.buffer.push_str(&format!(" href=\"{}\"", attr.value.as_ref())),
 									"title" => self.buffer.push_str(&format!(" title=\"{}\"", attr.value.as_ref())),
+									"class" => if attr.value.as_ref() == "u-url mention" { self.buffer.push_str(" class=\"u-url mention\"") },
 									_ => {},
 								}
 							}