From 01d7b795ab25bedd9fbfe9ce311d6e04a034c219 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Thu, 9 Mar 2023 09:08:42 +0000
Subject: [PATCH] Silence sanitize-html warning (#10334)

---
 src/utils/Reply.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/utils/Reply.ts b/src/utils/Reply.ts
index ffa29b6ffd..99730b687d 100644
--- a/src/utils/Reply.ts
+++ b/src/utils/Reply.ts
@@ -44,7 +44,7 @@ export function stripPlainReply(body: string): string {
     return lines.join("\n");
 }
 
-// Part of Replies fallback support
+// Part of Replies fallback support - MUST NOT BE RENDERED DIRECTLY - UNSAFE HTML
 export function stripHTMLReply(html: string): string {
     // Sanitize the original HTML for inclusion in <mx-reply>.  We allow
     // any HTML, since the original sender could use special tags that we
@@ -56,6 +56,7 @@ export function stripHTMLReply(html: string): string {
     return sanitizeHtml(html, {
         allowedTags: false, // false means allow everything
         allowedAttributes: false,
+        allowVulnerableTags: false, // silence xss warning, we won't be rendering directly this, so it is safe to do
         // we somehow can't allow all schemes, so we allow all that we
         // know of and mxc (for img tags)
         allowedSchemes: [...PERMITTED_URL_SCHEMES, "mxc"],