Move away from marked sanitize, and use dompurify instead.

2019-11-07 08:56:26 +01:00 · 2019-11-07 08:56:26 +01:00 · 030ae8a24b
parent 43aa242b7b
commit 030ae8a24b
2 changed files with 7 additions and 3 deletions
--- a/app/package.json
+++ b/app/package.json
@ -9,6 +9,7 @@
 		"@material-ui/core": "^4.5.1",
 		"@material-ui/icons": "^4.5.1",
 		"bowser": "^2.7.0",
+		"dompurify": "^2.0.7",
 		"domready": "^1.0.8",
 		"file-saver": "^2.0.2",
 		"hark": "^1.2.3",
--- a/app/src/components/MeetingDrawer/Chat/Message.js
+++ b/app/src/components/MeetingDrawer/Chat/Message.js
@ -2,6 +2,7 @@ import React from 'react';
 import PropTypes from 'prop-types';
 import classnames from 'classnames';
 import { withStyles } from '@material-ui/core/styles';
+import DOMPurify from 'dompurify'; 
 import marked from 'marked';
 import Paper from '@material-ui/core/Paper';
 import Typography from '@material-ui/core/Typography';
@ -76,9 +77,11 @@ const Message = (props) =>
 					className={classes.text}
 					variant='subtitle1'
 					// eslint-disable-next-line react/no-danger
-					dangerouslySetInnerHTML={{ __html : marked.parse(
+					dangerouslySetInnerHTML={{ __html : DOMPurify.sanitize(
+						marked.parse(
 							text,
-						{ sanitize: true, renderer: linkRenderer }
+							{ renderer: linkRenderer }
+						)
 					) }}
 				/>
 				<Typography variant='caption'>{self ? 'Me' : name} - {time}</Typography>