From 1f3015bd2c03b0735f30ad8a695293cf1788df45 Mon Sep 17 00:00:00 2001
From: Maxime Quandalle <maxime@quandalle.com>
Date: Mon, 18 Jul 2016 16:56:15 +0200
Subject: [PATCH] Fix #573

---
 client/components/main/editor.js | 4 +++-
 package.json                     | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/client/components/main/editor.js b/client/components/main/editor.js
index 174290678..95a96236e 100755
--- a/client/components/main/editor.js
+++ b/client/components/main/editor.js
@@ -44,6 +44,8 @@ Template.editor.onRendered(() => {
   ]);
 });
 
+import sanitizeXss from 'xss';
+
 // XXX I believe we should compute a HTML rendered field on the server that
 // would handle markdown, emoji and user mentions. We can simply have two
 // fields, one source, and one compiled version (in HTML) and send only the
@@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() {
     content = content.replace(fullMention, Blaze.toHTML(link));
   }
 
-  return HTML.Raw(content);
+  return HTML.Raw(sanitizeXss(content));
 }));
 
 Template.viewer.events({
diff --git a/package.json b/package.json
index dcf7cbb2d..cc0b75244 100644
--- a/package.json
+++ b/package.json
@@ -18,5 +18,8 @@
   "homepage": "https://wekan.io",
   "devDependencies": {
     "eslint": "^2.0.0"
+  },
+  "dependencies": {
+    "xss": "^0.2.13"
   }
 }