sanitize marked output with DOMPurify

purs/package.json

@@ -16,5 +16,7 @@
     "spago": "^0.20.3",
     "terser": "^5.7.2"
   },
-  "dependencies": {}
+  "dependencies": {
+    "dompurify": "^2.3.3"
+  }
 }

purs/src/Globals.js

@@ -15,15 +15,6 @@ exports._closest = function(just, nothing, selector, el) {
   }
 }
 
-exports._innerHtml = function(el) {
-  return el.innerHTML;
-}
-
-exports._setInnerHtml = function(content, el) {
-  el.innerHTML = content;
-  return el;
-}
-
 exports._createFormData = function(formElement) {
   return new FormData(formElement);
 }

purs/src/Globals.purs

@@ -51,16 +51,6 @@ foreign import _mmoment8601 :: forall a. Fn4 (a -> Maybe a) (Maybe a) (String ->
 mmoment8601 :: String -> Maybe (Tuple String String)
 mmoment8601 s = runFn4 _mmoment8601 Just Nothing Tuple s
 
-foreign import _innerHtml :: EffectFn1 HTMLElement String
-
-innerHtml :: HTMLElement -> Effect String
-innerHtml n = runEffectFn1 _innerHtml n
-
-foreign import _setInnerHtml :: EffectFn2 String HTMLElement HTMLElement
-
-setInnerHtml :: String -> HTMLElement -> Effect HTMLElement
-setInnerHtml c n = runEffectFn2 _setInnerHtml c n
-
 foreign import _createFormData :: Fn1 HTMLFormElement FormData
 
 createFormData :: HTMLFormElement -> FormData

purs/src/Marked.js

@@ -1,4 +1,5 @@
 var marked = require("marked");
+var DOMPurify = require("dompurify");
 
 marked.setOptions({
   pedantic: false,
@@ -7,5 +8,5 @@ marked.setOptions({
 
 exports.markedImpl = function(str) {
   if (!str) return "";
-  return marked(str);
+  return DOMPurify.sanitize(marked(str));
 };