diff --git a/.gitignore b/.gitignore
index 4e78ae3..5bd49e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,7 @@ nbproject/
 *.swp
 *.kdev4
 .kdev4/*
+.idea/
 
 # Ignore ALL config files
 conf.php
diff --git a/.horde.yml b/.horde.yml
index f41fc24..be7b61d 100644
--- a/.horde.yml
+++ b/.horde.yml
@@ -7,6 +7,12 @@ list: dev
 type: library
 homepage: https://www.horde.org/libraries/Horde_Mime_Viewer
 authors:
+  -
+    name: Jan Schneider
+    user: yunosh
+    email: jan@horde.org
+    active: true
+    role: lead
   -
     name: Michael Slusarz
     user: slusarz
@@ -39,3 +45,7 @@ dependencies:
   optional:
     pear:
       pear.php.net/Net_DNS2: '*'
+    ext:
+      dom: '*'
+      libxml: '*'
+      xsl: '*'
diff --git a/composer.json b/composer.json
index 1e5139a..bd0d81f 100644
--- a/composer.json
+++ b/composer.json
@@ -5,6 +5,11 @@
     "homepage": "https://www.horde.org/libraries/Horde_Mime_Viewer",
     "license": "LGPL-2.1",
     "authors": [
+        {
+            "name": "Jan Schneider",
+            "email": "jan@horde.org",
+            "role": "lead"
+        },
         {
             "name": "Michael Slusarz",
             "email": "slusarz@horde.org",
@@ -12,7 +17,7 @@
         }
     ],
     "version": "2.2.3",
-    "time": "2017-11-14",
+    "time": "2022-03-01",
     "repositories": [
         {
             "type": "pear",
@@ -32,7 +37,10 @@
         "ext-xml": "*"
     },
     "suggest": {
-        "pear-pear.php.net/Net_DNS2": "*"
+        "pear-pear.php.net/Net_DNS2": "*",
+        "ext-dom": "*",
+        "ext-libxml": "*",
+        "ext-xsl": "*"
     },
     "replace": {
         "pear-pear.horde.org/Horde_Mime_Viewer": "2.*",
@@ -43,4 +51,4 @@
             "Horde_Mime_Viewer": "lib/"
         }
     }
-}
+}
\ No newline at end of file
diff --git a/doc/Horde/Mime/Viewer/changelog.yml b/doc/Horde/Mime/Viewer/changelog.yml
index 0604f46..75f571d 100644
--- a/doc/Horde/Mime/Viewer/changelog.yml
+++ b/doc/Horde/Mime/Viewer/changelog.yml
@@ -8,7 +8,8 @@
   license:
     identifier: LGPL-2.1
     uri: http://www.horde.org/licenses/lgpl21
-  notes:
+  notes: |
+    [jan] Fix XSS vulnerability in Open Document mime viewer (Reported by: Simon Scannell, SonarSource <simon.scannell@sonarsource.com>).
 2.2.2:
   api: 2.1.0
   state:
diff --git a/lib/Horde/Mime/Viewer/Ooo.php b/lib/Horde/Mime/Viewer/Ooo.php
index 4e56e95..2c11120 100644
--- a/lib/Horde/Mime/Viewer/Ooo.php
+++ b/lib/Horde/Mime/Viewer/Ooo.php
@@ -123,7 +123,9 @@ protected function _render()
         $xml = new DOMDocument();
         $xml->load(realpath($tmpdir . 'content.xml'));
         $result = $xslt->transformToXml($xml);
-        if (!$result) {
+        if ($result) {
+            $result = Horde_Text_Filter::filter($result, 'xss');
+        } else {
             $result = libxml_get_last_error()->message;
         }
 
diff --git a/package.xml b/package.xml
index deb3ffc..577abc7 100644
--- a/package.xml
+++ b/package.xml
@@ -3,14 +3,20 @@
  <name>Horde_Mime_Viewer</name>
  <channel>pear.horde.org</channel>
  <summary>MIME viewer library</summary>
- <description>Provides rendering drivers for MIME data.</description>
+ <description>A library that provides rendering drivers for MIME data.</description>
+ <lead>
+  <name>Jan Schneider</name>
+  <user>yunosh</user>
+  <email>jan@horde.org</email>
+  <active>yes</active>
+ </lead>
  <lead>
   <name>Michael Slusarz</name>
   <user>slusarz</user>
   <email>slusarz@horde.org</email>
   <active>no</active>
  </lead>
- <date>2017-11-14</date>
+ <date>2022-03-01</date>
  <version>
   <release>2.2.3</release>
   <api>2.1.0</api>
@@ -410,7 +416,10 @@
     <dir name="Horde">
      <dir name="Mime">
       <dir name="Viewer">
-       <file name="url.phpt" role="test" />
+       <file name="AllTests.php" role="test" />
+       <file name="bootstrap.php" role="test" />
+       <file name="OooTest.php" role="test" />
+       <file name="xss.odt" role="test" />
       </dir> <!-- /test/Horde/Mime/Viewer -->
      </dir> <!-- /test/Horde/Mime -->
     </dir> <!-- /test/Horde -->
@@ -492,6 +501,15 @@
     <name>Net_DNS2</name>
     <channel>pear.php.net</channel>
    </package>
+   <extension>
+    <name>dom</name>
+   </extension>
+   <extension>
+    <name>libxml</name>
+   </extension>
+   <extension>
+    <name>xsl</name>
+   </extension>
   </optional>
  </dependencies>
  <usesrole>
@@ -674,7 +692,10 @@
    <install as="locale/uk/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/uk/LC_MESSAGES/Horde_Mime_Viewer.po" />
    <install as="locale/zh_CN/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/zh_CN/LC_MESSAGES/Horde_Mime_Viewer.po" />
    <install as="locale/zh_TW/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/zh_TW/LC_MESSAGES/Horde_Mime_Viewer.po" />
-   <install as="Horde/Mime/Viewer/url.phpt" name="test/Horde/Mime/Viewer/url.phpt" />
+   <install as="Horde/Mime/Viewer/AllTests.php" name="test/Horde/Mime/Viewer/AllTests.php" />
+   <install as="Horde/Mime/Viewer/bootstrap.php" name="test/Horde/Mime/Viewer/bootstrap.php" />
+   <install as="Horde/Mime/Viewer/OooTest.php" name="test/Horde/Mime/Viewer/OooTest.php" />
+   <install as="Horde/Mime/Viewer/xss.odt" name="test/Horde/Mime/Viewer/xss.odt" />
   </filelist>
  </phprelease>
  <changelog>
@@ -1130,7 +1151,7 @@
    <stability>
     <release>stable</release>
     <api>stable</api></stability>
-   <date>2017-11-14</date>
+   <date>2022-03-01</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
 * 
diff --git a/test/Horde/Mime/Viewer/AllTests.php b/test/Horde/Mime/Viewer/AllTests.php
new file mode 100644
index 0000000..49583c8
--- /dev/null
+++ b/test/Horde/Mime/Viewer/AllTests.php
@@ -0,0 +1,3 @@
+<?php
+require_once 'Horde/Test/AllTests.php';
+Horde_Test_AllTests::init(__FILE__)->run();
diff --git a/test/Horde/Mime/Viewer/OooTest.php b/test/Horde/Mime/Viewer/OooTest.php
new file mode 100644
index 0000000..ab02ce2
--- /dev/null
+++ b/test/Horde/Mime/Viewer/OooTest.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright 2022 Horde LLC (http://www.horde.org/)
+ *
+ * @category   Horde
+ * @copyright  2022 Horde LLC
+ * @license    http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ * @package    Mime
+ * @subpackage UnitTests
+ */
+
+/**
+ * Tests for the Horde_Mime_Viewer_Ooo class.
+ *
+ * @author     Jan Schneider <jan@horde.org>
+ * @category   Horde
+ * @copyright  2022 Horde LLC
+ * @internal
+ * @license    http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ * @package    Mime
+ * @subpackage UnitTests
+ */
+class Horde_Mime_MimeTest extends \PHPUnit\Framework\TestCase
+{
+
+    public function testXssVulnerability()
+    {
+        $mimePart = new Horde_Mime_Part();
+        $mimePart->setContents(file_get_contents(__DIR__ . '/xss.odt'));
+        $viewer = new Horde_Mime_Viewer_Ooo(
+            $mimePart,
+            array('zip' => new Horde_Compress_Zip())
+        );
+        $html = current(@$viewer->render('full'));
+
+        $this->assertNotContains("<script>alert('xss demonstration');</script>", $html['data']);
+        $this->assertNotContains("javascript:alert('xss')", $html['data']);
+    }
+
+}
diff --git a/test/Horde/Mime/Viewer/bootstrap.php b/test/Horde/Mime/Viewer/bootstrap.php
new file mode 100644
index 0000000..4e19e93
--- /dev/null
+++ b/test/Horde/Mime/Viewer/bootstrap.php
@@ -0,0 +1,3 @@
+<?php
+require_once 'Horde/Test/Bootstrap.php';
+Horde_Test_Bootstrap::bootstrap(dirname(__FILE__));
diff --git a/test/Horde/Mime/Viewer/url.phpt b/test/Horde/Mime/Viewer/url.phpt
deleted file mode 100644
index 910438b..0000000
--- a/test/Horde/Mime/Viewer/url.phpt
+++ /dev/null
@@ -1,66 +0,0 @@
---TEST--
-Horde_Mime_Viewer_html: URL dereferer tests
---SKIPIF--
-skip: Horde_Mime_Viewer has too many dependencies.
---FILE--
-<?php
-
-$dirname = __DIR__;
-require_once $dirname . '/../../../lib/Horde/Mime/Part.php';
-require_once $dirname . '/../../../lib/Horde/Mime/Viewer.php';
-require_once 'Horde.php';
-
-class Registry {
-    function get($param, $app = null)
-    {
-        if ($param == 'webroot' || $app == 'horde') {
-            return '/horde';
-        }
-        die("Can't emulate Registry. \$param: $param, \$app: $app");
-    }
-}
-
-class Browser {
-    function isBrowser($agent)
-    {
-        return $agent == 'msie';
-    }
-}
-
-$conf = array(
-    'server' => array(
-        'name' => 'www.example.com',
-        'port' => 80
-        ),
-    'use_ssl' => 0
-);
-$registry = new Registry();
-$browser = new Browser();
-
-$tests = array(
-    '<A HREF=http://66.102.7.147/>link</A>',
-    '<A HREF=http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D>link</A>',
-    '<A HREF=ht://www.google.com/>link</A>',
-    '<A HREF=http://google.com/>link</A>',
-    '<A HREF=http://www.google.com./>link</A>',
-    '<A HREF="javascript:document.location=\'http://www.google.com/\'">link</A>',
-    '<A HREF=http://www.gohttp://www.google.com/ogle.com/>link</A>'
-);
-
-foreach ($tests as $val) {
-    $part = new Horde_Mime_Part();
-    $part->setType('text/html');
-    $part->setContents($val);
-    $viewer = Horde_Mime_Viewer::factory($part, 'text/html');
-    echo $viewer->render();
-}
-
-?>
---EXPECT--
-<A href="http://www.example.com/horde/services/go.php?url=http%3A%2F%2F66.102.7.147%2F">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=http%3A%2F%2F%2577%2577%2577%252E%2567%256F%256F%2567%256C%2565%252E%2563%256F%256D">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=ht%3A%2F%2Fwww.google.com%2F">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=http%3A%2F%2Fgoogle.com%2F">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=http%3A%2F%2Fwww.google.com.%2F">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=XSSCleaneddocument.location%3D%27http%3A%2F%2Fwww.google.com%2F%27">link</A>
-<A href="http://www.example.com/horde/services/go.php?url=http%3A%2F%2Fwww.gohttp%3A%2F%2Fwww.google.com%2Fogle.com%2F">link</A>
diff --git a/test/Horde/Mime/Viewer/xss.odt b/test/Horde/Mime/Viewer/xss.odt
new file mode 100644
index 0000000..7faf19b
Binary files /dev/null and b/test/Horde/Mime/Viewer/xss.odt differ