Sanitize HTML

src/components/dialog/dialog.js

@@ -1,3 +1,4 @@
+import DOMPurify from 'dompurify';
 import escapeHtml from 'escape-html';
 import dialogHelper from '../dialogHelper/dialogHelper';
 import dom from '../../scripts/dom';
@@ -54,7 +55,7 @@ import template from './dialog.template.html';
         }
 
         const displayText = options.html || options.text || '';
-        dlg.querySelector('.text').innerHTML = displayText;
+        dlg.querySelector('.text').innerHTML = DOMPurify.sanitize(displayText);
 
         if (!displayText) {
             dlg.querySelector('.dialogContentInner').classList.add('hide');

src/controllers/itemDetails/index.js

@@ -1,4 +1,5 @@
 import { intervalToDuration } from 'date-fns';
+import DOMPurify from 'dompurify';
 import escapeHtml from 'escape-html';
 import { appHost } from '../../components/apphost';
 import loading from '../../components/loading/loading';
@@ -902,7 +903,7 @@ function renderOverview(page, item) {
     const overviewElements = page.querySelectorAll('.overview');
 
     if (overviewElements.length > 0) {
-        const overview = item.Overview || '';
+        const overview = DOMPurify.sanitize(item.Overview || '');
 
         if (overview) {
             for (const overviewElemnt of overviewElements) {