From 8ae210cbe227f60f23640691c71c171b4ef5a165 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 16:19:41 +0100
Subject: [PATCH 1/6] Revert #333

Revert https://github.com/matrix-org/matrix-react-sdk/pull/333/files since sanitizer blindly allows urls with no scheme, meaning  // links can be used to fetch images over whatever scheme you serve vector over (ie. normally http/https).
---
 src/HtmlUtils.js | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index 63445dcf30..b74b57ceac 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
         // deliberately no h1/h2 to stop people shouting.
         'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
         'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
-        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
+        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
     ],
     allowedAttributes: {
         // custom ones first:
@@ -101,9 +101,7 @@ var sanitizeHtmlParams = {
     selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
     // URL schemes we permit
     allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
-    allowedSchemesByTag: {
-        img: [ 'data' ],
-    },
+    allowedSchemesByTag: {},
 
     transformTags: { // custom to matrix
         // add blank targets to all hyperlinks except vector URLs

From 5fff3bdf24088a316f2f64b64386e41a592d9ec4 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 16:25:18 +0100
Subject: [PATCH 2/6] Document brokenness

---
 src/HtmlUtils.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index b74b57ceac..01ae50cf68 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -101,6 +101,10 @@ var sanitizeHtmlParams = {
     selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
     // URL schemes we permit
     allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
+
+    // DO NOT USE. sanitize-html allows all URL starting with '//'
+    // so this will always allow links to whatever scheme the
+    // host page is served over.
     allowedSchemesByTag: {},
 
     transformTags: { // custom to matrix

From 58de14a4c668a001c8774ade8738f54719157573 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 17:26:15 +0100
Subject: [PATCH 3/6] Pin to released js-sdk

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index fcd09f71e4..9c7b084b58 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,7 @@
     "linkifyjs": "2.0.0-beta.4",
     "lodash": "^4.13.1",
     "marked": "^0.3.5",
-    "matrix-js-sdk": "matrix-org/matrix-js-sdk#develop",
+    "matrix-js-sdk": "0.6.1",
     "optimist": "^0.6.1",
     "q": "^1.4.1",
     "react": "^15.2.1",

From a9494252d50f0f597850d36b5209e41d2b4144f3 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 17:28:08 +0100
Subject: [PATCH 4/6] Prepare changelog for v0.7.2

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fdbe28eb9..c67bfb8f36 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+Changes in [0.7.2](https://github.com/matrix-org/matrix-react-sdk/releases/tag/v0.7.2) (2016-09-21)
+===================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-react-sdk/compare/v0.7.1...v0.7.2)
+
+ * Revert #333
+   [\#491](https://github.com/matrix-org/matrix-react-sdk/pull/491)
+ * EncryptedEventDialog updates
+   [\#490](https://github.com/matrix-org/matrix-react-sdk/pull/490)
+ * Apply heuristic on incoming DMs
+   [\#487](https://github.com/matrix-org/matrix-react-sdk/pull/487)
+
 Changes in [0.7.1](https://github.com/matrix-org/matrix-react-sdk/releases/tag/v0.7.1) (2016-09-21)
 ===================================================================================================
  * Correct js-sdk version dependency

From be232bc1dae463e2ca90fb0710a0220ac068abe9 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 17:28:08 +0100
Subject: [PATCH 5/6] 0.7.2

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9c7b084b58..8de55e3c08 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "matrix-react-sdk",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "description": "SDK for matrix.org using React",
   "author": "matrix.org",
   "repository": {

From fedc0f2ec62a137c60e3080287315fbb6696a081 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 17:32:54 +0100
Subject: [PATCH 6/6] Back to develop

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 8de55e3c08..d361f79937 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,7 @@
     "linkifyjs": "2.0.0-beta.4",
     "lodash": "^4.13.1",
     "marked": "^0.3.5",
-    "matrix-js-sdk": "0.6.1",
+    "matrix-js-sdk": "matrix-org/matrix-js-sdk#develop",
     "optimist": "^0.6.1",
     "q": "^1.4.1",
     "react": "^15.2.1",