diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js index 63445dcf30..01ae50cf68 100644 --- a/src/HtmlUtils.js +++ b/src/HtmlUtils.js @@ -87,7 +87,7 @@ var sanitizeHtmlParams = { // deliberately no h1/h2 to stop people shouting. 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', - 'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img', + 'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' ], allowedAttributes: { // custom ones first: @@ -101,9 +101,11 @@ var sanitizeHtmlParams = { selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ], // URL schemes we permit allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ], - allowedSchemesByTag: { - img: [ 'data' ], - }, + + // DO NOT USE. sanitize-html allows all URL starting with '//' + // so this will always allow links to whatever scheme the + // host page is served over. + allowedSchemesByTag: {}, transformTags: { // custom to matrix // add blank targets to all hyperlinks except vector URLs