From 0b57f528bf72b07e542a99968f46e7a015abefff Mon Sep 17 00:00:00 2001
From: Calvin Montgomery <calzoneman@gmail.com>
Date: Sun, 21 Mar 2021 21:31:20 -0700
Subject: [PATCH] deps: bump sanitize-html

---
 package.json | 2 +-
 test/xss.js  | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 8d8b2b86..802bb94b 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
     "proxy-addr": "^2.0.6",
     "pug": "^3.0.2",
     "redis": "^3.0.2",
-    "sanitize-html": "^1.14.1",
+    "sanitize-html": "^2.3.3",
     "serve-static": "^1.14.1",
     "socket.io": "^2.0.3",
     "source-map-support": "^0.5.19",
diff --git a/test/xss.js b/test/xss.js
index e353491a..bd9e4884 100644
--- a/test/xss.js
+++ b/test/xss.js
@@ -5,7 +5,13 @@ describe('XSS', () => {
     describe('sanitizeHTML', () => {
         it('behaves consistently w.r.t. special chars used in emotes', () => {
             const input    = '`^~=| _-,;:!?/."()[]{}@$*\\&#%+á\t';
-            const expected = '`^~=| _-,;:!?/."()[]{}@$*\\\\&amp;#%+á\t';
+            const expected = '`^~=| _-,;:!?/."()[]{}@$*\\&amp;#%+á\t';
+            assert.strictEqual(XSS.sanitizeHTML(input), expected);
+        });
+
+        it('disallows iframes', () => {
+            const input    = '<iframe src="https://example.com"></iframe>';
+            const expected = '';
             assert.strictEqual(XSS.sanitizeHTML(input), expected);
         });
     });