From 030ae8a24b48a986d3a6782ccc963bfaa97fadb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A5var=20Aamb=C3=B8=20Fosstveit?= <havar@fosstveit.net>
Date: Thu, 7 Nov 2019 08:56:26 +0100
Subject: [PATCH] Move away from marked sanitize, and use dompurify instead.

---
 app/package.json                                 | 1 +
 app/src/components/MeetingDrawer/Chat/Message.js | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/package.json b/app/package.json
index 8cb5d4a..6f171f3 100644
--- a/app/package.json
+++ b/app/package.json
@@ -9,6 +9,7 @@
 		"@material-ui/core": "^4.5.1",
 		"@material-ui/icons": "^4.5.1",
 		"bowser": "^2.7.0",
+		"dompurify": "^2.0.7",
 		"domready": "^1.0.8",
 		"file-saver": "^2.0.2",
 		"hark": "^1.2.3",
diff --git a/app/src/components/MeetingDrawer/Chat/Message.js b/app/src/components/MeetingDrawer/Chat/Message.js
index 5a0d812..85a749d 100644
--- a/app/src/components/MeetingDrawer/Chat/Message.js
+++ b/app/src/components/MeetingDrawer/Chat/Message.js
@@ -2,6 +2,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import classnames from 'classnames';
 import { withStyles } from '@material-ui/core/styles';
+import DOMPurify from 'dompurify'; 
 import marked from 'marked';
 import Paper from '@material-ui/core/Paper';
 import Typography from '@material-ui/core/Typography';
@@ -76,9 +77,11 @@ const Message = (props) =>
 					className={classes.text}
 					variant='subtitle1'
 					// eslint-disable-next-line react/no-danger
-					dangerouslySetInnerHTML={{ __html : marked.parse(
-						text,
-						{ sanitize: true, renderer: linkRenderer }
+					dangerouslySetInnerHTML={{ __html : DOMPurify.sanitize(
+						marked.parse(
+							text,
+							{ renderer: linkRenderer }
+						)
 					) }}
 				/>
 				<Typography variant='caption'>{self ? 'Me' : name} - {time}</Typography>