Add DOMPurify to address XSS issues; closes #420

bower.json

@@ -17,10 +17,10 @@
     "font-awesome": "~4.4.0",
     "primer-css": "3.x.x",
     "jquery": "~1.11.x",
-    "keen-js": "~3.4.0",
     "trackjs": "~2.10.1",
     "typeahead.js": "~0.11.1",
     "plyr": "1.6.x",
-    "urijs": "1.18.1"
+    "urijs": "1.18.1",
+    "DOMPurify": "^3.1.0"
   }
 }

bower_components/DOMPurify/.bower.json

@@ -0,0 +1,42 @@
+{
+  "name": "DOMPurify",
+  "version": "3.1.0",
+  "homepage": "https://github.com/cure53/DOMPurify",
+  "author": "Cure53 <[email protected]>",
+  "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
+  "main": "src/purify.js",
+  "keywords": [
+    "dom",
+    "xss",
+    "cross site scripting",
+    "html",
+    "svg",
+    "mathml",
+    "sanitizer",
+    "filter",
+    "sanitize",
+    "security",
+    "secure"
+  ],
+  "license": [
+    "MPL-2.0",
+    "Apache-2.0"
+  ],
+  "ignore": [
+    "**/.*",
+    "demos",
+    "scripts",
+    "test",
+    "website"
+  ],
+  "_release": "3.1.0",
+  "_resolution": {
+    "type": "version",
+    "tag": "3.1.0",
+    "commit": "db19269d8f9029cba78eabc9d6b52e73c31702ad"
+  },
+  "_source": "https://github.com/cure53/DOMPurify.git",
+  "_target": "^3.1.0",
+  "_originalSource": "DOMPurify",
+  "_direct": true
+}

bower_components/DOMPurify/SECURITY.md

@@ -0,0 +1,9 @@
+## Supported Versions
+
+Always the latest release.
+
+## Reporting a Vulnerability
+
+First of all, please immediately contact us via [email](mailto:[email protected]) so we can work on a fix. [PGP key](https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xC26C858090F70ADA)
+
+Also, you probably qualify for a bug bounty! The fine folks over at [Fastmail](https://www.fastmail.com/) use DOMPurify for their services and added our library to their bug bounty scope. So, if you find a way to bypass or weaken DOMPurify, please also have a look at their website and the [bug bounty info](https://www.fastmail.com/about/bugbounty/).

bower_components/DOMPurify/bower.json

@@ -0,0 +1,32 @@
+{
+  "name": "DOMPurify",
+  "version": "3.1.0",
+  "homepage": "https://github.com/cure53/DOMPurify",
+  "author": "Cure53 <[email protected]>",
+  "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
+  "main": "src/purify.js",
+  "keywords": [
+    "dom",
+    "xss",
+    "cross site scripting",
+    "html",
+    "svg",
+    "mathml",
+    "sanitizer",
+    "filter",
+    "sanitize",
+    "security",
+    "secure"
+  ],
+  "license": [
+    "MPL-2.0",
+    "Apache-2.0"
+  ],
+  "ignore": [
+    "**/.*",
+    "demos",
+    "scripts",
+    "test",
+    "website"
+  ]
+}