Sanitize HTML to prevent XSS attacks

README.md

@@ -21,7 +21,6 @@ Less distracting UI means a stronger focus on content.
 	* Links (pasting plain, creating from existing text, editing existing links...)
 	* Maybe *not* underline: underline is for links
 	* Images (drag and drop to either "upload" or upload)
-* Prevent XSS
 * Use something better than `contenteditable`
 	* [Why ContentEditable is Terrible][]
 	* Still needs to carry undos/redos between nodes

app.coffee

@@ -153,6 +153,7 @@ $Node = (data, fb_n)->
 
 	$node.content = (html)->
 		if typeof html is 'string'
+			html = DOMPurify.sanitize(html)
 			previous_content = html
 			unless $node.html() is html
 				$node.html(html)

index.html

@@ -13,7 +13,8 @@
 			import { initializeApp } from "https://www.gstatic.com/firebasejs/9.9.2/firebase-app.js";
 			import { getAuth, onAuthStateChanged, signInWithPopup, GoogleAuthProvider } from "https://www.gstatic.com/firebasejs/9.9.2/firebase-auth.js";
 			import { getDatabase, ref, set, push, remove, runTransaction, child, onValue, onChildAdded, onDisconnect } from "https://www.gstatic.com/firebasejs/9.9.2/firebase-database.js";
-
+			import DOMPurify from "./lib/purify.es.js";
+
 			const firebaseConfig = {
 				apiKey: "AIzaSyAz_Pu0oWNJjqYrB5AFrMp6Jv-eHcX4ngk",
 				authDomain: "mind-map.firebaseapp.com",
@@ -40,6 +41,7 @@
 			window.onValue = onValue;
 			window.onChildAdded = onChildAdded;
 			window.onDisconnect = onDisconnect;
+			window.DOMPurify = DOMPurify;
 		</script>
 		<script src="lib/jquery.js"></script>
 		<script src="lib/coffeescript.js"></script>