From 69755d1fea7f416fd7a5a8a4ebdb1c2fe0495e21 Mon Sep 17 00:00:00 2001
From: Roland Osborne <roland.osborne@gmail.com>
Date: Tue, 4 Feb 2025 11:55:56 -0800
Subject: [PATCH] #146 - using url specific santizer, than you @mbaum0 for
 reporting!

---
 net/web/package.json                                     | 1 +
 net/web/src/session/conversation/useConversation.hook.js | 6 +++---
 net/web/yarn.lock                                        | 5 +++++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/web/package.json b/net/web/package.json
index 32b0147d..e8853a18 100644
--- a/net/web/package.json
+++ b/net/web/package.json
@@ -16,6 +16,7 @@
     }
   },
   "dependencies": {
+    "@braintree/sanitize-url": "^7.1.1",
     "@charliewilco/gluejar": "^1.0.0",
     "@testing-library/jest-dom": "^5.14.1",
     "@testing-library/user-event": "^13.2.1",
diff --git a/net/web/src/session/conversation/useConversation.hook.js b/net/web/src/session/conversation/useConversation.hook.js
index 9cbe996c..c8098b05 100644
--- a/net/web/src/session/conversation/useConversation.hook.js
+++ b/net/web/src/session/conversation/useConversation.hook.js
@@ -9,7 +9,7 @@ import { ProfileContext } from 'context/ProfileContext';
 import { isUnsealed, getChannelSeals, getContentKey, encryptTopicSubject } from 'context/sealUtil';
 import { decryptTopicSubject } from 'context/sealUtil';
 import { getProfileByGuid } from 'context/cardUtil';
-import * as DOMPurify from 'dompurify';
+import { sanitizeUrl } from '@braintree/sanitize-url';
 
 export function useConversation(cardId, channelId) {
 
@@ -145,14 +145,14 @@ export function useConversation(cardId, channelId) {
       let group = '';
       let clickable = [];
 
-      const words = text === [] ? '' : DOMPurify.sanitize(text).split(' ');
+      const words = !text ? [] : text.split(' ');
 
       words.forEach((word, index) => {
         if (!!urlPattern.test(word)) {
           clickable.push(<span key={index}>{ group }</span>);
           group = '';
           const url = !!hostPattern.test(word) ? word : `https://${word}`;
-          clickable.push(<a key={'link-'+index} target="_blank" rel="noopener noreferrer" href={url}>{ `${word} ` }</a>);
+          clickable.push(<a key={`link-${index}`} target="_blank" rel="noopener noreferrer" href={sanitizeUrl(url)}>{ word }</a>);
         }
         else {
           group += `${word} `;
diff --git a/net/web/yarn.lock b/net/web/yarn.lock
index 18153f1b..7444b54c 100644
--- a/net/web/yarn.lock
+++ b/net/web/yarn.lock
@@ -1133,6 +1133,11 @@
   resolved "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz"
   integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
 
+"@braintree/sanitize-url@^7.1.1":
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-7.1.1.tgz#15e19737d946559289b915e5dad3b4c28407735e"
+  integrity sha512-i1L7noDNxtFyL5DmZafWy1wRVhGehQmzZaz1HiN5e7iylJMSZR7ekOV7NsIqa5qBldlLrsKv4HbgFUVlQrz8Mw==
+
 "@charliewilco/gluejar@^1.0.0":
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/@charliewilco/gluejar/-/gluejar-1.0.0.tgz#f228e8130d4e23401c119f32e27e5353c544c58e"