improvement: sanitization via DOMPurify (#4513)

* swap `sanitize-html` for `dompurify`

* set up node enzyme tests with jsdom

dompurify, as the name suggests, needs a DOM or it won't work!

* reconcile tests and sanitizer settings

* remove obsolete sanitizeOptions

* add `jsdom` dependency

src/core/components/providers/markdown.jsx

@@ -1,7 +1,7 @@
 import React from "react"
 import PropTypes from "prop-types"
 import Remarkable from "remarkable"
-import sanitize from "sanitize-html"
+import DomPurify from "dompurify"
 import cx from "classnames"
 
 // eslint-disable-next-line no-useless-escape
@@ -40,20 +40,8 @@ Markdown.propTypes = {
 
 export default Markdown
 
-const sanitizeOptions = {
-    allowedTags: sanitize.defaults.allowedTags.concat([ "h1", "h2", "img", "span" ]),
-    allowedAttributes: {
-        ...sanitize.defaults.allowedAttributes,
-        "img": sanitize.defaults.allowedAttributes.img.concat(["title"]),
-        "td": [ "colspan" ],
-        "*": [ "class" ]
-    },
-    allowedSchemesByTag: { img: [ "http", "https", "data" ] },
-    textFilter: function(text) {
-        return text.replace(/"/g, "\"")
-    }
-}
-
 export function sanitizer(str) {
-    return sanitize(str, sanitizeOptions)
+  return DomPurify.sanitize(str, {
+    ADD_ATTR: ["target"]
+  })
 }