deps: bump sanitize-html

package.json

@@ -32,7 +32,7 @@
     "proxy-addr": "^2.0.6",
     "pug": "^3.0.2",
     "redis": "^3.0.2",
-    "sanitize-html": "^1.14.1",
+    "sanitize-html": "^2.3.3",
     "serve-static": "^1.14.1",
     "socket.io": "^2.0.3",
     "source-map-support": "^0.5.19",

test/xss.js

@@ -5,7 +5,13 @@ describe('XSS', () => {
     describe('sanitizeHTML', () => {
         it('behaves consistently w.r.t. special chars used in emotes', () => {
             const input    = '`^~=| _-,;:!?/."()[]{}@$*\\&#%+á\t';
-            const expected = '`^~=| _-,;:!?/."()[]{}@$*\\\\&#%+á\t';
+            const expected = '`^~=| _-,;:!?/."()[]{}@$*\\&#%+á\t';
+            assert.strictEqual(XSS.sanitizeHTML(input), expected);
+        });
+
+        it('disallows iframes', () => {
+            const input    = '<iframe src="https://example.com"></iframe>';
+            const expected = '';
             assert.strictEqual(XSS.sanitizeHTML(input), expected);
         });
     });