From 8420d0fef20851d259df891289bebaf5ea342a7c Mon Sep 17 00:00:00 2001
From: Dmitry Lyzo <ashephard0@gmail.com>
Date: Sun, 30 Jan 2022 18:29:40 +0300
Subject: [PATCH] Sanitize HTML

---
 src/components/dialog/dialog.js      | 3 ++-
 src/controllers/itemDetails/index.js | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/components/dialog/dialog.js b/src/components/dialog/dialog.js
index 68b8c0a4b..9629e9bb2 100644
--- a/src/components/dialog/dialog.js
+++ b/src/components/dialog/dialog.js
@@ -1,3 +1,4 @@
+import DOMPurify from 'dompurify';
 import escapeHtml from 'escape-html';
 import dialogHelper from '../dialogHelper/dialogHelper';
 import dom from '../../scripts/dom';
@@ -54,7 +55,7 @@ import template from './dialog.template.html';
         }
 
         const displayText = options.html || options.text || '';
-        dlg.querySelector('.text').innerHTML = displayText;
+        dlg.querySelector('.text').innerHTML = DOMPurify.sanitize(displayText);
 
         if (!displayText) {
             dlg.querySelector('.dialogContentInner').classList.add('hide');
diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index 445e68aaf..25b47cbd7 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -1,4 +1,5 @@
 import { intervalToDuration } from 'date-fns';
+import DOMPurify from 'dompurify';
 import escapeHtml from 'escape-html';
 import { appHost } from '../../components/apphost';
 import loading from '../../components/loading/loading';
@@ -902,7 +903,7 @@ function renderOverview(page, item) {
     const overviewElements = page.querySelectorAll('.overview');
 
     if (overviewElements.length > 0) {
-        const overview = item.Overview || '';
+        const overview = DOMPurify.sanitize(item.Overview || '');
 
         if (overview) {
             for (const overviewElemnt of overviewElements) {