From 5fff3bdf24088a316f2f64b64386e41a592d9ec4 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 21 Sep 2016 16:25:18 +0100
Subject: [PATCH] Document brokenness

---
 src/HtmlUtils.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index b74b57ceac..01ae50cf68 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -101,6 +101,10 @@ var sanitizeHtmlParams = {
     selfClosing: [ 'img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta' ],
     // URL schemes we permit
     allowedSchemes: [ 'http', 'https', 'ftp', 'mailto' ],
+
+    // DO NOT USE. sanitize-html allows all URL starting with '//'
+    // so this will always allow links to whatever scheme the
+    // host page is served over.
     allowedSchemesByTag: {},
 
     transformTags: { // custom to matrix