Review usage of dangerouslySetInnerHTML

[nickdaugherty]

@uxcitizen noticed that there are several spots in this plugin using React's dangerouslySetInnerHTML.

https://github.com/Automattic/liveblog/search?q=dangerouslysetinnerhtml&unscoped_q=dangerouslysetinnerhtml

How many of those can we get rid of with refactoring?

Obviously some places are showing pre-rendered HTML from the server. In those cases, we should be sanitizing the HTML to strip out any unexpected or disallowed tags and attributes before passing it to dangerouslySetInnerHTML to reduce the potential for abuse.

Ideally we have 0 of these calls, but for the ones we can't get away from, we should be sure everything is sanitized as far as possible.

[cain]

Seems like all of the WordPress endpoints return HTML, it's not possible without using dangerouslySetInnerHTML

But you are right, some sanitizing needs to be done. https://github.com/cure53/DOMPurify works well.

[davidsword]

I'll look into this!

[cain]

@davidsword looks really good!