2 files changed, 6 insertions, 1 deletions

diff --git a/client/components/main/editor.js b/client/components/main/editor.js
index 17429067..95a96236 100755
--- a/client/components/main/editor.js
+++ b/client/components/main/editor.js
@@ -44,6 +44,8 @@ Template.editor.onRendered(() => {
   ]);
 });
 
+import sanitizeXss from 'xss';
+
 // XXX I believe we should compute a HTML rendered field on the server that
 // would handle markdown, emoji and user mentions. We can simply have two
 // fields, one source, and one compiled version (in HTML) and send only the
@@ -86,7 +88,7 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() {
     content = content.replace(fullMention, Blaze.toHTML(link));
   }
 
-  return HTML.Raw(content);
+  return HTML.Raw(sanitizeXss(content));
 }));
 
 Template.viewer.events({
diff --git a/package.json b/package.json
index dcf7cbb2..cc0b7524 100644
--- a/package.json
+++ b/package.json
@@ -18,5 +18,8 @@
   "homepage": "https://wekan.io",
   "devDependencies": {
     "eslint": "^2.0.0"
+  },
+  "dependencies": {
+    "xss": "^0.2.13"
   }
 }