diff --git a/libs/htmlWhitelistPost.json b/libs/htmlWhitelistPost.json
new file mode 100644
index 000000000..1093c91ab
--- /dev/null
+++ b/libs/htmlWhitelistPost.json
@@ -0,0 +1,76 @@
+{
+ "allowedTags": [
+ "h1",
+ "h2",
+ "h3",
+ "h4",
+ "h5",
+ "h6",
+ "h7",
+ "h8",
+ "p",
+ "div",
+ "blockquote",
+ "pre",
+ "b",
+ "i",
+ "strong",
+ "em",
+ "tt",
+ "code",
+ "ins",
+ "del",
+ "sup",
+ "sub",
+ "kbd",
+ "samp",
+ "q",
+ "var",
+ "ol",
+ "ul",
+ "li",
+ "dl",
+ "dt",
+ "dd",
+ "table",
+ "thead",
+ "tbody",
+ "tfoot",
+ "tr",
+ "td",
+ "th",
+ "br",
+ "hr",
+ "ruby",
+ "rt",
+ "rp"
+ ],
+ "allowedAttributes": {
+ "a": [
+ "href"
+ ],
+ "img": [
+ "src"
+ ],
+ "div": [
+ "itemscope",
+ "itemtype"
+ ]
+ },
+ "selfClosing": [
+ "img",
+ "br",
+ "hr",
+ "area",
+ "base",
+ "basefont",
+ "input",
+ "link",
+ "meta"
+ ],
+ "allowedSchemes": [
+ "http",
+ "https",
+ "mailto"
+ ]
+}
diff --git a/libs/markdown.js b/libs/markdown.js
index a911a1777..d60a8abaf 100644
--- a/libs/markdown.js
+++ b/libs/markdown.js
@@ -1,6 +1,7 @@
var marked = require('marked');
var hljs = require('highlight.js');
-var xss = require('simple-xss');
+var sanitizeHtml = require('sanitize-html');
+var htmlWhitelistPost = require('./htmlWhitelistPost.json');
var renderer = new marked.Renderer();
// Automatically generate an anchor for each header
@@ -33,11 +34,11 @@ marked.setOptions({
tables: true,
breaks: true,
pedantic: false,
- sanitize: false, // we use xss to sanitize HTML
+ sanitize: false, // we use sanitize-html to sanitize HTML
smartLists: true,
smartypants: false
});
exports.renderMd = function (text) {
- return xss(marked(text));
+ return marked(sanitizeHtml(text), htmlWhitelistPost);
};
diff --git a/package.json b/package.json
index 89fc3bfdf..62736dfd5 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,7 @@
"async": "*",
"aws-sdk": "*",
"toobusy-js": "*",
- "simple-xss": "*",
+ "sanitize-html": "*",
"underscore": "*",
"moment": "*",
"github": "*",