diff --git a/client/build.js b/client/build.js
index 46406f03..f201a129 100755
--- a/client/build.js
+++ b/client/build.js
@@ -21,6 +21,7 @@ const webapp_splash_screens = [
 ];
 
 const external_js = [
+    'dompurify',
     'js-cookie',
     'marked',
     'mousetrap',
diff --git a/client/js/util/markdown.js b/client/js/util/markdown.js
index 792c9383..22cdae50 100644
--- a/client/js/util/markdown.js
+++ b/client/js/util/markdown.js
@@ -1,6 +1,7 @@
 "use strict";
 
 const marked = require("marked");
+const DOMPurify = require("dompurify");
 
 class BaseMarkdownWrapper {
     preprocess(text) {
@@ -158,7 +159,6 @@ function formatMarkdown(text) {
     const options = {
         renderer: renderer,
         breaks: true,
-        sanitize: true,
         smartypants: true,
     };
     let wrappers = [
@@ -179,7 +179,7 @@ function formatMarkdown(text) {
     for (let wrapper of wrappers) {
         text = wrapper.postprocess(text);
     }
-    return text;
+    return DOMPurify.sanitize(text);
 }
 
 function formatInlineMarkdown(text) {
@@ -187,7 +187,6 @@ function formatInlineMarkdown(text) {
     const options = {
         renderer: renderer,
         breaks: true,
-        sanitize: true,
         smartypants: true,
     };
     let wrappers = [
@@ -206,7 +205,7 @@ function formatInlineMarkdown(text) {
     for (let wrapper of wrappers) {
         text = wrapper.postprocess(text);
     }
-    return text;
+    return DOMPurify.sanitize(text);
 }
 
 module.exports = {
diff --git a/client/package-lock.json b/client/package-lock.json
index 0c02ffd5..c8d88729 100644
--- a/client/package-lock.json
+++ b/client/package-lock.json
@@ -1740,6 +1740,11 @@
       "integrity": "sha512-jnjyiM6eRyZl2H+W8Q/zLMA481hzi0eszAaBUzIVnmYVDBbnLxVNnfu1HgEBvCbL+71FrxMl3E6lpKH7Ge3OXA==",
       "dev": true
     },
+    "dompurify": {
+      "version": "2.0.11",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.0.11.tgz",
+      "integrity": "sha512-qVoGPjIW9IqxRij7klDQQ2j6nSe4UNWANBhZNLnsS7ScTtLb+3YdxkRY8brNTpkUiTtcXsCJO+jS0UCDfenLuA=="
+    },
     "duplexer2": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/duplexer2/-/duplexer2-0.1.4.tgz",
diff --git a/client/package.json b/client/package.json
index 696a2153..e581cd63 100644
--- a/client/package.json
+++ b/client/package.json
@@ -6,6 +6,7 @@
     "watch": "c1=\"\";while :;do c2=$(find html js css img -type f -and -not -iname '*autogen*'|sort|xargs cat|md5sum);[[ $c1 != $c2 ]]&&npm run build -- --debug --no-vendor-js;c1=$c2;sleep 1;done"
   },
   "dependencies": {
+    "dompurify": "^2.0.11",
     "font-awesome": "^4.7.0",
     "ios-inner-height": "^1.0.3",
     "js-cookie": "^2.2.0",