From 8ae210cbe227f60f23640691c71c171b4ef5a165 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 16:19:41 +0100
Subject: [PATCH] Revert #333

Revert https://github.com/matrix-org/matrix-react-sdk/pull/333/files since sanitizer blindly allows urls with no scheme, meaning  // links can be used to fetch images over whatever scheme you serve vector over (ie. normally http/https).
---
 src/HtmlUtils.js | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index 63445dcf30..b74b57ceac 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
         // deliberately no h1/h2 to stop people shouting.
         'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
         'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
-        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
+        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
     ],
     allowedAttributes: {
         // custom ones first:
@@ -101,9 +101,7 @@ var sanitizeHtmlParams = {
     selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
     // URL schemes we permit
     allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
-    allowedSchemesByTag: {
-        img: [ 'data' ],
-    },
+    allowedSchemesByTag: {},
 
     transformTags: { // custom to matrix
         // add blank targets to all hyperlinks except vector URLs