From 9b93aa5e758e6469711317ecc55728272e14de6e Mon Sep 17 00:00:00 2001
From: Wouter Admiraal <wouter.admiraal@sonarsource.com>
Date: Fri, 23 Apr 2021 15:55:40 +0200
Subject: [PATCH] SONAR-14670 Wrap calls to dompurify

---
 .../js/apps/about/components/AboutApp.tsx     |   4 +-
 .../components/ActivationFormModal.tsx        |  14 +-
 .../components/CustomRuleFormModal.tsx        |  14 +-
 .../components/RuleDetailsDescription.tsx     |   8 +-
 .../components/RuleDetailsParameters.tsx      |  12 +-
 .../__tests__/ActivationFormModal-test.tsx    |  54 +-
 .../__tests__/CustomRuleFormModal-test.tsx    |  15 +-
 .../ActivationFormModal-test.tsx.snap         | 587 +++++++++++++++++-
 .../CustomRuleFormModal-test.tsx.snap         |  98 ++-
 .../components/HotspotReviewHistory.tsx       |   8 +-
 .../components/HotspotViewerTabs.tsx          |   5 +-
 .../js/apps/settings/__tests__/utils-test.ts  | 105 +---
 .../apps/settings/components/Definition.tsx   |   7 +-
 .../components/SubCategoryDefinitionsList.tsx |   8 +-
 .../src/main/js/apps/settings/utils.ts        |   7 -
 .../common/AnalysisWarningsModal.tsx          |   6 +-
 .../issue/components/IssueCommentLine.tsx     |   5 +-
 .../js/helpers/__tests__/sanitize-test.ts     | 161 +++++
 .../sonar-web/src/main/js/helpers/sanitize.ts |  32 +
 .../src/main/js/helpers/testMocks.ts          |  11 +
 20 files changed, 995 insertions(+), 166 deletions(-)
 create mode 100644 server/sonar-web/src/main/js/helpers/__tests__/sanitize-test.ts
 create mode 100644 server/sonar-web/src/main/js/helpers/sanitize.ts

diff --git a/server/sonar-web/src/main/js/apps/about/components/AboutApp.tsx b/server/sonar-web/src/main/js/apps/about/components/AboutApp.tsx
index b7d899a1f0f..652f712e689 100644
--- a/server/sonar-web/src/main/js/apps/about/components/AboutApp.tsx
+++ b/server/sonar-web/src/main/js/apps/about/components/AboutApp.tsx
@@ -17,7 +17,6 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import { Location } from 'history';
 import { keyBy } from 'lodash';
 import * as React from 'react';
@@ -31,6 +30,7 @@ import A11ySkipTarget from '../../../app/components/a11y/A11ySkipTarget';
 import withIndexationContext, {
   WithIndexationContextProps
 } from '../../../components/hoc/withIndexationContext';
+import { sanitizeString } from '../../../helpers/sanitize';
 import {
   getAppState,
   getCurrentUser,
@@ -163,7 +163,7 @@ export class AboutApp extends React.PureComponent<Props, State> {
           <div
             className="about-page-section"
             // eslint-disable-next-line react/no-danger
-            dangerouslySetInnerHTML={{ __html: sanitize(customText) }}
+            dangerouslySetInnerHTML={{ __html: sanitizeString(customText) }}
           />
         )}
 
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
index 51470ba11e3..65d00e2a7c1 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/ActivationFormModal.tsx
@@ -18,7 +18,6 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 import * as classNames from 'classnames';
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons';
 import Modal from 'sonar-ui-common/components/controls/Modal';
@@ -28,6 +27,7 @@ import { translate } from 'sonar-ui-common/helpers/l10n';
 import { activateRule, Profile } from '../../../api/quality-profiles';
 import SeverityHelper from '../../../components/shared/SeverityHelper';
 import { SEVERITIES } from '../../../helpers/constants';
+import { sanitizeString } from '../../../helpers/sanitize';
 import { sortProfiles } from '../../quality-profiles/utils';
 
 interface Props {
@@ -222,11 +222,13 @@ export default class ActivationFormModal extends React.PureComponent<Props, Stat
                       value={this.state.params[param.key] || ''}
                     />
                   )}
-                  <div
-                    className="note"
-                    // eslint-disable-next-line react/no-danger
-                    dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
-                  />
+                  {param.htmlDesc !== undefined && (
+                    <div
+                      className="note"
+                      // eslint-disable-next-line react/no-danger
+                      dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
+                    />
+                  )}
                 </div>
               ))
             )}
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
index 738187b2be7..d21c7e83498 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/CustomRuleFormModal.tsx
@@ -17,7 +17,6 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { ResetButtonLink, SubmitButton } from 'sonar-ui-common/components/controls/buttons';
 import Modal from 'sonar-ui-common/components/controls/Modal';
@@ -33,6 +32,7 @@ import FormattingTips from '../../../components/common/FormattingTips';
 import SeverityHelper from '../../../components/shared/SeverityHelper';
 import TypeHelper from '../../../components/shared/TypeHelper';
 import { RULE_STATUSES, RULE_TYPES, SEVERITIES } from '../../../helpers/constants';
+import { sanitizeString } from '../../../helpers/sanitize';
 
 interface Props {
   customRule?: T.RuleDetails;
@@ -304,11 +304,13 @@ export default class CustomRuleFormModal extends React.PureComponent<Props, Stat
           value={this.state.params[param.key] || ''}
         />
       )}
-      <div
-        className="modal-field-description"
-        // eslint-disable-next-line react/no-danger
-        dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
-      />
+      {param.htmlDesc !== undefined && (
+        <div
+          className="modal-field-description"
+          // eslint-disable-next-line react/no-danger
+          dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
+        />
+      )}
     </div>
   );
 
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
index 8e1219a8d84..d89059fa468 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsDescription.tsx
@@ -17,12 +17,12 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { Button, ResetButtonLink } from 'sonar-ui-common/components/controls/buttons';
 import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n';
 import { updateRule } from '../../../api/rules';
 import FormattingTips from '../../../components/common/FormattingTips';
+import { sanitizeString } from '../../../helpers/sanitize';
 import RemoveExtendedDescriptionModal from './RemoveExtendedDescriptionModal';
 
 interface Props {
@@ -112,7 +112,7 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S
         <div
           className="rule-desc spacer-bottom markdown"
           // eslint-disable-next-line react/no-danger
-          dangerouslySetInnerHTML={{ __html: sanitize(this.props.ruleDetails.htmlNote) }}
+          dangerouslySetInnerHTML={{ __html: sanitizeString(this.props.ruleDetails.htmlNote) }}
         />
       )}
       {this.props.canWrite && (
@@ -190,11 +190,11 @@ export default class RuleDetailsDescription extends React.PureComponent<Props, S
 
     return (
       <div className="js-rule-description">
-        {hasDescription ? (
+        {hasDescription && ruleDetails.htmlDesc !== undefined ? (
           <div
             className="coding-rules-detail-description rule-desc markdown"
             // eslint-disable-next-line react/no-danger
-            dangerouslySetInnerHTML={{ __html: sanitize(ruleDetails.htmlDesc || '') }}
+            dangerouslySetInnerHTML={{ __html: sanitizeString(ruleDetails.htmlDesc) }}
           />
         ) : (
           <div className="coding-rules-detail-description rule-desc markdown">
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
index c134954aa05..91cf2b95cd4 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/RuleDetailsParameters.tsx
@@ -17,9 +17,9 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { translate } from 'sonar-ui-common/helpers/l10n';
+import { sanitizeString } from '../../../helpers/sanitize';
 
 interface Props {
   params: T.RuleParameter[];
@@ -30,10 +30,12 @@ export default class RuleDetailsParameters extends React.PureComponent<Props> {
     <tr className="coding-rules-detail-parameter" key={param.key}>
       <td className="coding-rules-detail-parameter-name">{param.key}</td>
       <td className="coding-rules-detail-parameter-description">
-        <p
-          // eslint-disable-next-line react/no-danger
-          dangerouslySetInnerHTML={{ __html: sanitize(param.htmlDesc || '') }}
-        />
+        {param.htmlDesc !== undefined && (
+          <p
+            // eslint-disable-next-line react/no-danger
+            dangerouslySetInnerHTML={{ __html: sanitizeString(param.htmlDesc) }}
+          />
+        )}
         {param.defaultValue !== undefined && (
           <div className="note spacer-top">
             {translate('coding_rules.parameters.default_value')}
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/ActivationFormModal-test.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/ActivationFormModal-test.tsx
index e011e79d46f..2f28c908ec2 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/ActivationFormModal-test.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/ActivationFormModal-test.tsx
@@ -17,21 +17,51 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
+
 import { shallow } from 'enzyme';
 import * as React from 'react';
-import { mockQualityProfile, mockRule } from '../../../../helpers/testMocks';
+import {
+  mockQualityProfile,
+  mockRule,
+  mockRuleActivation,
+  mockRuleDetails,
+  mockRuleDetailsParameter
+} from '../../../../helpers/testMocks';
 import ActivationFormModal from '../ActivationFormModal';
 
-it('render correctly', () => {
+it('should render correctly', () => {
+  expect(shallowRender()).toMatchSnapshot('default');
   expect(
-    shallow(
-      <ActivationFormModal
-        modalHeader="title"
-        onClose={jest.fn()}
-        onDone={jest.fn()}
-        profiles={[mockQualityProfile()]}
-        rule={mockRule()}
-      />
-    )
-  ).toMatchSnapshot();
+    shallowRender({
+      profiles: [
+        mockQualityProfile(),
+        mockQualityProfile({ depth: 2, actions: { edit: true }, language: 'js' })
+      ]
+    })
+  ).toMatchSnapshot('with deep profiles');
+  expect(shallowRender({ rule: mockRuleDetails({ templateKey: 'foobar' }) })).toMatchSnapshot(
+    'custom rule'
+  );
+  expect(shallowRender({ activation: mockRuleActivation() })).toMatchSnapshot('update mode');
+  const wrapper = shallowRender();
+  wrapper.setState({ submitting: true });
+  expect(wrapper).toMatchSnapshot('submitting');
 });
+
+function shallowRender(props: Partial<ActivationFormModal['props']> = {}) {
+  return shallow<ActivationFormModal>(
+    <ActivationFormModal
+      modalHeader="title"
+      onClose={jest.fn()}
+      onDone={jest.fn()}
+      profiles={[mockQualityProfile()]}
+      rule={mockRule({
+        params: [
+          mockRuleDetailsParameter(),
+          mockRuleDetailsParameter({ key: '2', type: 'TEXT', htmlDesc: undefined })
+        ]
+      })}
+      {...props}
+    />
+  );
+}
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/CustomRuleFormModal-test.tsx b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/CustomRuleFormModal-test.tsx
index eb49f339c08..895e063555e 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/CustomRuleFormModal-test.tsx
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/CustomRuleFormModal-test.tsx
@@ -21,13 +21,13 @@ import { shallow } from 'enzyme';
 import * as React from 'react';
 import { submit, waitAndUpdate } from 'sonar-ui-common/helpers/testUtils';
 import { createRule } from '../../../../api/rules';
-import { mockRule } from '../../../../helpers/testMocks';
+import { mockRule, mockRuleDetailsParameter } from '../../../../helpers/testMocks';
 import CustomRuleFormModal from '../CustomRuleFormModal';
 
 jest.mock('../../../../api/rules', () => ({ createRule: jest.fn() }));
 
 it('should render correctly', () => {
-  expect(shallowRender()).toMatchSnapshot();
+  expect(shallowRender()).toMatchSnapshot('default');
 });
 
 it('should handle re-activation', async () => {
@@ -43,7 +43,16 @@ function shallowRender(props: Partial<CustomRuleFormModal['props']> = {}) {
     <CustomRuleFormModal
       onClose={jest.fn()}
       onDone={jest.fn()}
-      templateRule={{ ...mockRule(), createdAt: 'date', repo: 'squid' }}
+      templateRule={{
+        ...mockRule({
+          params: [
+            mockRuleDetailsParameter(),
+            mockRuleDetailsParameter({ key: '2', type: 'TEXT', htmlDesc: undefined })
+          ]
+        }),
+        createdAt: 'date',
+        repo: 'squid'
+      }}
       {...props}
     />
   );
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/ActivationFormModal-test.tsx.snap b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/ActivationFormModal-test.tsx.snap
index 2225b883507..2adb2cf8b78 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/ActivationFormModal-test.tsx.snap
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/ActivationFormModal-test.tsx.snap
@@ -1,6 +1,6 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`render correctly 1`] = `
+exports[`should render correctly: custom rule 1`] = `
 <Modal
   contentLabel="title"
   onRequestClose={[MockFunction]}
@@ -80,12 +80,597 @@ exports[`render correctly 1`] = `
           valueRenderer={[Function]}
         />
       </div>
+      <div
+        className="modal-field"
+      >
+        <p
+          className="note"
+        >
+          coding_rules.custom_rule.activation_notice
+        </p>
+      </div>
+    </div>
+    <footer
+      className="modal-foot"
+    >
+      <SubmitButton
+        disabled={true}
+      >
+        coding_rules.activate
+      </SubmitButton>
+      <ResetButtonLink
+        disabled={false}
+        onClick={[MockFunction]}
+      >
+        cancel
+      </ResetButtonLink>
+    </footer>
+  </form>
+</Modal>
+`;
+
+exports[`should render correctly: default 1`] = `
+<Modal
+  contentLabel="title"
+  onRequestClose={[MockFunction]}
+  size="small"
+>
+  <form
+    onSubmit={[Function]}
+  >
+    <div
+      className="modal-head"
+    >
+      <h2>
+        title
+      </h2>
+    </div>
+    <div
+      className="modal-body modal-container"
+    >
+      <Alert
+        variant="info"
+      >
+        coding_rules.active_in_all_profiles
+      </Alert>
+      <div
+        className="modal-field"
+      >
+        <label>
+          coding_rules.quality_profile
+        </label>
+        <Select
+          className="js-profile"
+          clearable={false}
+          disabled={false}
+          onChange={[Function]}
+          options={Array []}
+          value=""
+        />
+      </div>
+      <div
+        className="modal-field"
+      >
+        <label>
+          severity
+        </label>
+        <Select
+          className="js-severity"
+          clearable={false}
+          disabled={false}
+          onChange={[Function]}
+          optionRenderer={[Function]}
+          options={
+            Array [
+              Object {
+                "label": "severity.BLOCKER",
+                "value": "BLOCKER",
+              },
+              Object {
+                "label": "severity.CRITICAL",
+                "value": "CRITICAL",
+              },
+              Object {
+                "label": "severity.MAJOR",
+                "value": "MAJOR",
+              },
+              Object {
+                "label": "severity.MINOR",
+                "value": "MINOR",
+              },
+              Object {
+                "label": "severity.INFO",
+                "value": "INFO",
+              },
+            ]
+          }
+          searchable={false}
+          value="MAJOR"
+          valueRenderer={[Function]}
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          title="1"
+        >
+          1
+        </label>
+        <input
+          disabled={false}
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value="1"
+        />
+        <div
+          className="note"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          title="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={false}
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value="1"
+        />
+      </div>
+    </div>
+    <footer
+      className="modal-foot"
+    >
+      <SubmitButton
+        disabled={true}
+      >
+        coding_rules.activate
+      </SubmitButton>
+      <ResetButtonLink
+        disabled={false}
+        onClick={[MockFunction]}
+      >
+        cancel
+      </ResetButtonLink>
+    </footer>
+  </form>
+</Modal>
+`;
+
+exports[`should render correctly: submitting 1`] = `
+<Modal
+  contentLabel="title"
+  onRequestClose={[MockFunction]}
+  size="small"
+>
+  <form
+    onSubmit={[Function]}
+  >
+    <div
+      className="modal-head"
+    >
+      <h2>
+        title
+      </h2>
+    </div>
+    <div
+      className="modal-body modal-container"
+    >
+      <Alert
+        variant="info"
+      >
+        coding_rules.active_in_all_profiles
+      </Alert>
+      <div
+        className="modal-field"
+      >
+        <label>
+          coding_rules.quality_profile
+        </label>
+        <Select
+          className="js-profile"
+          clearable={false}
+          disabled={true}
+          onChange={[Function]}
+          options={Array []}
+          value=""
+        />
+      </div>
+      <div
+        className="modal-field"
+      >
+        <label>
+          severity
+        </label>
+        <Select
+          className="js-severity"
+          clearable={false}
+          disabled={true}
+          onChange={[Function]}
+          optionRenderer={[Function]}
+          options={
+            Array [
+              Object {
+                "label": "severity.BLOCKER",
+                "value": "BLOCKER",
+              },
+              Object {
+                "label": "severity.CRITICAL",
+                "value": "CRITICAL",
+              },
+              Object {
+                "label": "severity.MAJOR",
+                "value": "MAJOR",
+              },
+              Object {
+                "label": "severity.MINOR",
+                "value": "MINOR",
+              },
+              Object {
+                "label": "severity.INFO",
+                "value": "INFO",
+              },
+            ]
+          }
+          searchable={false}
+          value="MAJOR"
+          valueRenderer={[Function]}
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          title="1"
+        >
+          1
+        </label>
+        <input
+          disabled={true}
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value="1"
+        />
+        <div
+          className="note"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          title="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={true}
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value="1"
+        />
+      </div>
+    </div>
+    <footer
+      className="modal-foot"
+    >
+      <i
+        className="spinner spacer-right"
+      />
+      <SubmitButton
+        disabled={true}
+      >
+        coding_rules.activate
+      </SubmitButton>
+      <ResetButtonLink
+        disabled={true}
+        onClick={[MockFunction]}
+      >
+        cancel
+      </ResetButtonLink>
+    </footer>
+  </form>
+</Modal>
+`;
+
+exports[`should render correctly: update mode 1`] = `
+<Modal
+  contentLabel="title"
+  onRequestClose={[MockFunction]}
+  size="small"
+>
+  <form
+    onSubmit={[Function]}
+  >
+    <div
+      className="modal-head"
+    >
+      <h2>
+        title
+      </h2>
+    </div>
+    <div
+      className="modal-body modal-container"
+    >
+      <div
+        className="modal-field"
+      >
+        <label>
+          coding_rules.quality_profile
+        </label>
+        <Select
+          className="js-profile"
+          clearable={false}
+          disabled={false}
+          onChange={[Function]}
+          options={Array []}
+          value=""
+        />
+      </div>
+      <div
+        className="modal-field"
+      >
+        <label>
+          severity
+        </label>
+        <Select
+          className="js-severity"
+          clearable={false}
+          disabled={false}
+          onChange={[Function]}
+          optionRenderer={[Function]}
+          options={
+            Array [
+              Object {
+                "label": "severity.BLOCKER",
+                "value": "BLOCKER",
+              },
+              Object {
+                "label": "severity.CRITICAL",
+                "value": "CRITICAL",
+              },
+              Object {
+                "label": "severity.MAJOR",
+                "value": "MAJOR",
+              },
+              Object {
+                "label": "severity.MINOR",
+                "value": "MINOR",
+              },
+              Object {
+                "label": "severity.INFO",
+                "value": "INFO",
+              },
+            ]
+          }
+          searchable={false}
+          value="MAJOR"
+          valueRenderer={[Function]}
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          title="1"
+        >
+          1
+        </label>
+        <input
+          disabled={false}
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value="1"
+        />
+        <div
+          className="note"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          title="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={false}
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value="1"
+        />
+      </div>
     </div>
     <footer
       className="modal-foot"
     >
       <SubmitButton
         disabled={true}
+      >
+        save
+      </SubmitButton>
+      <ResetButtonLink
+        disabled={false}
+        onClick={[MockFunction]}
+      >
+        cancel
+      </ResetButtonLink>
+    </footer>
+  </form>
+</Modal>
+`;
+
+exports[`should render correctly: with deep profiles 1`] = `
+<Modal
+  contentLabel="title"
+  onRequestClose={[MockFunction]}
+  size="small"
+>
+  <form
+    onSubmit={[Function]}
+  >
+    <div
+      className="modal-head"
+    >
+      <h2>
+        title
+      </h2>
+    </div>
+    <div
+      className="modal-body modal-container"
+    >
+      <div
+        className="modal-field"
+      >
+        <label>
+          coding_rules.quality_profile
+        </label>
+        <Select
+          className="js-profile"
+          clearable={false}
+          disabled={true}
+          onChange={[Function]}
+          options={
+            Array [
+              Object {
+                "label": "name",
+                "value": "key",
+              },
+            ]
+          }
+          value="key"
+        />
+      </div>
+      <div
+        className="modal-field"
+      >
+        <label>
+          severity
+        </label>
+        <Select
+          className="js-severity"
+          clearable={false}
+          disabled={false}
+          onChange={[Function]}
+          optionRenderer={[Function]}
+          options={
+            Array [
+              Object {
+                "label": "severity.BLOCKER",
+                "value": "BLOCKER",
+              },
+              Object {
+                "label": "severity.CRITICAL",
+                "value": "CRITICAL",
+              },
+              Object {
+                "label": "severity.MAJOR",
+                "value": "MAJOR",
+              },
+              Object {
+                "label": "severity.MINOR",
+                "value": "MINOR",
+              },
+              Object {
+                "label": "severity.INFO",
+                "value": "INFO",
+              },
+            ]
+          }
+          searchable={false}
+          value="MAJOR"
+          valueRenderer={[Function]}
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          title="1"
+        >
+          1
+        </label>
+        <input
+          disabled={false}
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value="1"
+        />
+        <div
+          className="note"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          title="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={false}
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value="1"
+        />
+      </div>
+    </div>
+    <footer
+      className="modal-foot"
+    >
+      <SubmitButton
+        disabled={false}
       >
         coding_rules.activate
       </SubmitButton>
diff --git a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/CustomRuleFormModal-test.tsx.snap b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/CustomRuleFormModal-test.tsx.snap
index 426e1a46317..3aed94f5b25 100644
--- a/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/CustomRuleFormModal-test.tsx.snap
+++ b/server/sonar-web/src/main/js/apps/coding-rules/components/__tests__/__snapshots__/CustomRuleFormModal-test.tsx.snap
@@ -205,6 +205,54 @@ exports[`should handle re-activation 1`] = `
           className="modal-field-descriptor text-right"
         />
       </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          className="capitalize"
+          htmlFor="1"
+        >
+          1
+        </label>
+        <input
+          disabled={false}
+          id="1"
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value=""
+        />
+        <div
+          className="modal-field-description"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          className="capitalize"
+          htmlFor="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={false}
+          id="2"
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value=""
+        />
+      </div>
     </div>
     <div
       className="modal-foot"
@@ -226,7 +274,7 @@ exports[`should handle re-activation 1`] = `
 </Modal>
 `;
 
-exports[`should render correctly 1`] = `
+exports[`should render correctly: default 1`] = `
 <Modal
   contentLabel="coding_rules.create_custom_rule"
   onRequestClose={[MockFunction]}
@@ -426,6 +474,54 @@ exports[`should render correctly 1`] = `
           className="modal-field-descriptor text-right"
         />
       </div>
+      <div
+        className="modal-field"
+        key="1"
+      >
+        <label
+          className="capitalize"
+          htmlFor="1"
+        >
+          1
+        </label>
+        <input
+          disabled={false}
+          id="1"
+          name="1"
+          onChange={[Function]}
+          placeholder="1"
+          type="text"
+          value=""
+        />
+        <div
+          className="modal-field-description"
+          dangerouslySetInnerHTML={
+            Object {
+              "__html": "description",
+            }
+          }
+        />
+      </div>
+      <div
+        className="modal-field"
+        key="2"
+      >
+        <label
+          className="capitalize"
+          htmlFor="2"
+        >
+          2
+        </label>
+        <textarea
+          disabled={false}
+          id="2"
+          name="2"
+          onChange={[Function]}
+          placeholder="1"
+          rows={3}
+          value=""
+        />
+      </div>
     </div>
     <div
       className="modal-foot"
diff --git a/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotReviewHistory.tsx b/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotReviewHistory.tsx
index a7765f34e6b..98d06cf4c95 100644
--- a/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotReviewHistory.tsx
+++ b/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotReviewHistory.tsx
@@ -18,7 +18,6 @@
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 import * as classNames from 'classnames';
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { Button, DeleteButton, EditButton } from 'sonar-ui-common/components/controls/buttons';
 import Dropdown, { DropdownOverlay } from 'sonar-ui-common/components/controls/Dropdown';
@@ -28,6 +27,7 @@ import { PopupPlacement } from 'sonar-ui-common/components/ui/popups';
 import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n';
 import IssueChangelogDiff from '../../../components/issue/components/IssueChangelogDiff';
 import Avatar from '../../../components/ui/Avatar';
+import { sanitizeString } from '../../../helpers/sanitize';
 import { Hotspot, ReviewHistoryType } from '../../../types/security-hotspots';
 import { getHotspotReviewHistory } from '../utils';
 import HotspotCommentPopup from './HotspotCommentPopup';
@@ -89,7 +89,11 @@ export default function HotspotReviewHistory(props: HotspotReviewHistoryProps) {
 
             {type === ReviewHistoryType.Comment && key && html && markdown && (
               <div className="spacer-top display-flex-space-between">
-                <div className="markdown" dangerouslySetInnerHTML={{ __html: sanitize(html) }} />
+                <div
+                  className="markdown"
+                  // eslint-disable-next-line react/no-danger
+                  dangerouslySetInnerHTML={{ __html: sanitizeString(html) }}
+                />
                 {updatable && (
                   <div>
                     <div className="dropdown">
diff --git a/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotViewerTabs.tsx b/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotViewerTabs.tsx
index 3b91bfbd559..8b736e83003 100644
--- a/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotViewerTabs.tsx
+++ b/server/sonar-web/src/main/js/apps/security-hotspots/components/HotspotViewerTabs.tsx
@@ -17,11 +17,11 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import BoxedTabs from 'sonar-ui-common/components/controls/BoxedTabs';
 import Tab from 'sonar-ui-common/components/controls/Tabs';
 import { translate } from 'sonar-ui-common/helpers/l10n';
+import { sanitizeString } from '../../../helpers/sanitize';
 import { Hotspot } from '../../../types/security-hotspots';
 
 interface Props {
@@ -104,7 +104,8 @@ export default class HotspotViewerTabs extends React.PureComponent<Props, State>
         <div className="bordered huge-spacer-bottom">
           <div
             className="markdown big-padded"
-            dangerouslySetInnerHTML={{ __html: sanitize(currentTab.content) }}
+            // eslint-disable-next-line react/no-danger
+            dangerouslySetInnerHTML={{ __html: sanitizeString(currentTab.content) }}
           />
         </div>
       </>
diff --git a/server/sonar-web/src/main/js/apps/settings/__tests__/utils-test.ts b/server/sonar-web/src/main/js/apps/settings/__tests__/utils-test.ts
index d37c7753bc4..aa0c97c7898 100644
--- a/server/sonar-web/src/main/js/apps/settings/__tests__/utils-test.ts
+++ b/server/sonar-web/src/main/js/apps/settings/__tests__/utils-test.ts
@@ -22,7 +22,7 @@ import {
   SettingCategoryDefinition,
   SettingFieldDefinition
 } from '../../../types/settings';
-import { getDefaultValue, getEmptyValue, sanitizeTranslation } from '../utils';
+import { getDefaultValue, getEmptyValue } from '../utils';
 
 const fields = [
   { key: 'foo', type: 'STRING' } as SettingFieldDefinition,
@@ -82,106 +82,3 @@ describe('#getDefaultValue()', () => {
     }
   );
 });
-
-describe('sanitizeTranslation', () => {
-  it('should preserve formatting tags', () => {
-    const allowed = `
-    Hi this is <i>in italics</i> and <ul>
-    <li> lists </li>
-    <li> are allowed</li>
-    </ul>
-    <p>
-    as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
-    and <code>code.is.accepted too</code>
-    </p>
-  `;
-
-    const clean = sanitizeTranslation(allowed);
-    expect(clean).toBe(allowed);
-  });
-
-  /*
-   * Test code borrowed from OWASP's sanitizer tests
-   * https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/resources/org/owasp/html/htmllexerinput1.html
-   */
-  it('should strip everything else', () => {
-    const clean = sanitizeTranslation(`<?xml version="not-even-close"?>
-
-    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-    
-    <!-- a test input for HtmlLexer -->
-    
-    <html>
-    <head>
-    <title>Test File For HtmlLexer &amp; HtmlParser</title>
-    <link rel=stylesheet type="text/css" src=foo/bar.css />
-    <body
-     bgcolor=white
-     linkcolor = "blue"
-     onload="document.writeln(
-      &quot;&lt;p&gt;properly escaped code in a handler&lt;/p&gt;&quot;);"
-    >
-    
-    <script type="text/javascript"><!--
-    document.writeln("<p>Some initialization code in global context</p>");
-    --></script>
-    
-    <script type="text/javascript">
-    // hi there
-    document.writeln("<p>More initialization</p>");
-    </script>
-    
-    <div id=clickydiv onclick="handleClicky(event)"
-     ondblclick=this.onclick(event);return(false)>
-    Clicky
-    </div>
-    
-    <input id=foo>
-    <gxp:attr name="onchange">alert("&lt;b&gt;hi&lt;/b&gt;");</gxp:attr>
-    </input>
-    
-    <pre>&lt;div id=notarealtag onclick=notcode()&gt;</pre>
-    
-    <!-- some tokenization corner cases -->
-    
-    < notatag <atag/>
-    
-    </ notatag> </redundantlyclosed/>
-    
-    <messyattributes a=b=c d="e"f=g h =i j= k l = m checked n="o"/>
-    
-    < < < all in one text block > > >
-    
-    <xmp>Make sure that <!-- comments don't obscure the xmp close</xmp>
-    <% # some php code here
-    write("<pre>$horriblySyntacticConstruct1</pre>\n\n");
-    %>
-    <script type="text/javascript"><!--
-    alert("hello world");
-    // --></script>
-    
-    <script>/* </script> */alert('hi');</script>
-    <script><!--/* </script> */alert('hi');--></script>
-    
-    <xmp style=color:blue><!--/* </xmp> */alert('hi');--></xmp>
-    
-    <style><!-- p { contentf: '</style>' } --></style>
-    <style>Foo<!-- > </style> --></style>
-    <textarea><!-- Zoicks </textarea>--></textarea>
-    <!-- An escaping text span start may share its U+002D HYPHEN-MINUS characters
-       - with its corresponding escaping text span end. -->
-    <script><!--></script>
-    <script><!---></script>
-    <script><!----></script>
-    </body>
-    </html>
-    <![CDATA[ No such thing as a CDATA> section in HTML ]]>
-    <script>a<b</script>
-    <img src=foo.gif /><a href=><a href=/>
-    <span title=malformed attribs' do=don't id=foo checked onclick="a<b">Bar</span>`);
-
-    expect(clean.replace(/\s+/g, '')).toBe(
-      `Clickyalert("&lt;b&gt;hi&lt;/b&gt;");&lt;divid=notarealtagonclick=notcode()&gt;&lt;notatag&lt;&lt;&lt;allinonetextblock&gt;&gt;&gt;&lt;%#somephpcodeherewrite("$horriblySyntacticConstruct1");%&gt;*/alert('hi');*/alert('hi');--&gt;*/alert('hi');--&gt;'}--&gt;--&gt;&lt;!--Zoicks--&gt;sectioninHTML]]&gt;Bar`
-    );
-  });
-});
diff --git a/server/sonar-web/src/main/js/apps/settings/components/Definition.tsx b/server/sonar-web/src/main/js/apps/settings/components/Definition.tsx
index 66a0d15c5f9..fadd728a2cf 100644
--- a/server/sonar-web/src/main/js/apps/settings/components/Definition.tsx
+++ b/server/sonar-web/src/main/js/apps/settings/components/Definition.tsx
@@ -23,6 +23,7 @@ import { connect } from 'react-redux';
 import AlertErrorIcon from 'sonar-ui-common/components/icons/AlertErrorIcon';
 import AlertSuccessIcon from 'sonar-ui-common/components/icons/AlertSuccessIcon';
 import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n';
+import { sanitizeStringRestricted } from '../../../helpers/sanitize';
 import {
   getSettingsAppChangedValue,
   getSettingsAppValidationMessage,
@@ -36,8 +37,7 @@ import {
   getPropertyDescription,
   getPropertyName,
   getSettingValue,
-  isDefaultOrInherited,
-  sanitizeTranslation
+  isDefaultOrInherited
 } from '../utils';
 import DefinitionActions from './DefinitionActions';
 import Input from './inputs/Input';
@@ -154,7 +154,8 @@ export class Definition extends React.PureComponent<Props, State> {
           {description && (
             <div
               className="markdown small spacer-top"
-              dangerouslySetInnerHTML={{ __html: sanitizeTranslation(description) }}
+              // eslint-disable-next-line react/no-danger
+              dangerouslySetInnerHTML={{ __html: sanitizeStringRestricted(description) }}
             />
           )}
 
diff --git a/server/sonar-web/src/main/js/apps/settings/components/SubCategoryDefinitionsList.tsx b/server/sonar-web/src/main/js/apps/settings/components/SubCategoryDefinitionsList.tsx
index 22493ed1046..62e9034f9fc 100644
--- a/server/sonar-web/src/main/js/apps/settings/components/SubCategoryDefinitionsList.tsx
+++ b/server/sonar-web/src/main/js/apps/settings/components/SubCategoryDefinitionsList.tsx
@@ -19,8 +19,9 @@
  */
 import { groupBy, isEqual, sortBy } from 'lodash';
 import * as React from 'react';
+import { sanitizeStringRestricted } from '../../../helpers/sanitize';
 import { Setting, SettingCategoryDefinition } from '../../../types/settings';
-import { getSubCategoryDescription, getSubCategoryName, sanitizeTranslation } from '../utils';
+import { getSubCategoryDescription, getSubCategoryName } from '../utils';
 import DefinitionsList from './DefinitionsList';
 import EmailForm from './EmailForm';
 
@@ -79,7 +80,10 @@ export default class SubCategoryDefinitionsList extends React.PureComponent<Prop
             {subCategory.description != null && (
               <div
                 className="settings-sub-category-description markdown"
-                dangerouslySetInnerHTML={{ __html: sanitizeTranslation(subCategory.description) }}
+                // eslint-disable-next-line react/no-danger
+                dangerouslySetInnerHTML={{
+                  __html: sanitizeStringRestricted(subCategory.description)
+                }}
               />
             )}
             <DefinitionsList
diff --git a/server/sonar-web/src/main/js/apps/settings/utils.ts b/server/sonar-web/src/main/js/apps/settings/utils.ts
index 0fa364c5c0f..e695e2cfaa3 100644
--- a/server/sonar-web/src/main/js/apps/settings/utils.ts
+++ b/server/sonar-web/src/main/js/apps/settings/utils.ts
@@ -17,7 +17,6 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import { hasMessage, translate } from 'sonar-ui-common/helpers/l10n';
 import { Setting, SettingCategoryDefinition, SettingDefinition } from '../../types/settings';
 
@@ -37,12 +36,6 @@ export interface DefaultInputProps {
   value: any;
 }
 
-export function sanitizeTranslation(html: string) {
-  return sanitize(html, {
-    ALLOWED_TAGS: ['b', 'br', 'code', 'i', 'li', 'p', 'strong', 'ul']
-  });
-}
-
 export function getPropertyName(definition: SettingDefinition) {
   const key = `property.${definition.key}.name`;
   return hasMessage(key) ? translate(key) : definition.name;
diff --git a/server/sonar-web/src/main/js/components/common/AnalysisWarningsModal.tsx b/server/sonar-web/src/main/js/components/common/AnalysisWarningsModal.tsx
index 4e599711a28..dc99b50368f 100644
--- a/server/sonar-web/src/main/js/components/common/AnalysisWarningsModal.tsx
+++ b/server/sonar-web/src/main/js/components/common/AnalysisWarningsModal.tsx
@@ -17,7 +17,6 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { ButtonLink } from 'sonar-ui-common/components/controls/buttons';
 import Modal from 'sonar-ui-common/components/controls/Modal';
@@ -25,6 +24,7 @@ import WarningIcon from 'sonar-ui-common/components/icons/WarningIcon';
 import DeferredSpinner from 'sonar-ui-common/components/ui/DeferredSpinner';
 import { translate } from 'sonar-ui-common/helpers/l10n';
 import { dismissAnalysisWarning, getTask } from '../../api/ce';
+import { sanitizeStringRestricted } from '../../helpers/sanitize';
 import { TaskWarning } from '../../types/tasks';
 import { withCurrentUser } from '../hoc/withCurrentUser';
 
@@ -137,9 +137,7 @@ export class AnalysisWarningsModal extends React.PureComponent<Props, State> {
                   <span
                     // eslint-disable-next-line react/no-danger
                     dangerouslySetInnerHTML={{
-                      __html: sanitize(message.trim().replace(/\n/g, '<br />'), {
-                        ALLOWED_ATTR: ['target', 'href']
-                      })
+                      __html: sanitizeStringRestricted(message.trim().replace(/\n/g, '<br />'))
                     }}
                   />
 
diff --git a/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx b/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx
index 84a617ccd88..06d4a937ed2 100644
--- a/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx
+++ b/server/sonar-web/src/main/js/components/issue/components/IssueCommentLine.tsx
@@ -17,13 +17,13 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-import { sanitize } from 'dompurify';
 import * as React from 'react';
 import { DeleteButton, EditButton } from 'sonar-ui-common/components/controls/buttons';
 import Toggler from 'sonar-ui-common/components/controls/Toggler';
 import DateFromNow from 'sonar-ui-common/components/intl/DateFromNow';
 import { PopupPlacement } from 'sonar-ui-common/components/ui/popups';
 import { translate, translateWithParameters } from 'sonar-ui-common/helpers/l10n';
+import { sanitizeString } from '../../../helpers/sanitize';
 import Avatar from '../../ui/Avatar';
 import CommentDeletePopup from '../popups/CommentDeletePopup';
 import CommentPopup from '../popups/CommentPopup';
@@ -96,7 +96,8 @@ export default class IssueCommentLine extends React.PureComponent<Props, State>
         </div>
         <div
           className="issue-comment-text markdown"
-          dangerouslySetInnerHTML={{ __html: sanitize(comment.htmlText) }}
+          // eslint-disable-next-line react/no-danger
+          dangerouslySetInnerHTML={{ __html: sanitizeString(comment.htmlText) }}
         />
         <div className="issue-comment-age">
           <span className="a11y-hidden">{translate('issue.comment.posted_on')}</span>
diff --git a/server/sonar-web/src/main/js/helpers/__tests__/sanitize-test.ts b/server/sonar-web/src/main/js/helpers/__tests__/sanitize-test.ts
new file mode 100644
index 00000000000..1d906672562
--- /dev/null
+++ b/server/sonar-web/src/main/js/helpers/__tests__/sanitize-test.ts
@@ -0,0 +1,161 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+import { sanitizeString, sanitizeStringRestricted } from '../sanitize';
+
+describe('sanitizeStringRestricted', () => {
+  it('should preserve only specific formatting tags', () => {
+    expect(
+      sanitizeStringRestricted(`
+    Hi <a href="http://example.com" target="_blank">this</a> is <i>in italics</i> and <ul>
+    <li> lists </li>
+    <li> are allowed</li>
+    </ul>
+    <p>
+    as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
+    and <code>code.is.accepted too</code>
+    </p>
+  `)
+    ).toBe(`
+    Hi <a target="_blank" href="http://example.com">this</a> is <i>in italics</i> and <ul>
+    <li> lists </li>
+    <li> are allowed</li>
+    </ul>
+    <p>
+    as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
+    and <code>code.is.accepted too</code>
+    </p>
+  `);
+  });
+
+  /*
+   * Test code borrowed from OWASP's sanitizer tests
+   * https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/resources/org/owasp/html/htmllexerinput1.html
+   */
+  it('should strip everything else', () => {
+    const clean = sanitizeStringRestricted(`<?xml version="not-even-close"?>
+
+    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+    
+    <!-- a test input for HtmlLexer -->
+    
+    <html>
+    <head>
+    <title>Test File For HtmlLexer &amp; HtmlParser</title>
+    <link rel=stylesheet type="text/css" src=foo/bar.css />
+    <body
+     bgcolor=white
+     linkcolor = "blue"
+     onload="document.writeln(
+      &quot;&lt;p&gt;properly escaped code in a handler&lt;/p&gt;&quot;);"
+    >
+    
+    <script type="text/javascript"><!--
+    document.writeln("<p>Some initialization code in global context</p>");
+    --></script>
+    
+    <script type="text/javascript">
+    // hi there
+    document.writeln("<p>More initialization</p>");
+    </script>
+    
+    <div id=clickydiv onclick="handleClicky(event)"
+     ondblclick=this.onclick(event);return(false)>
+    Clicky
+    </div>
+    
+    <input id=foo>
+    <gxp:attr name="onchange">alert("&lt;b&gt;hi&lt;/b&gt;");</gxp:attr>
+    </input>
+    
+    <pre>&lt;div id=notarealtag onclick=notcode()&gt;</pre>
+    
+    <!-- some tokenization corner cases -->
+    
+    < notatag <atag/>
+    
+    </ notatag> </redundantlyclosed/>
+    
+    <messyattributes a=b=c d="e"f=g h =i j= k l = m checked n="o"/>
+    
+    < < < all in one text block > > >
+    
+    <xmp>Make sure that <!-- comments don't obscure the xmp close</xmp>
+    <% # some php code here
+    write("<pre>$horriblySyntacticConstruct1</pre>\n\n");
+    %>
+    <script type="text/javascript"><!--
+    alert("hello world");
+    // --></script>
+    
+    <script>/* </script> */alert('hi');</script>
+    <script><!--/* </script> */alert('hi');--></script>
+    
+    <xmp style=color:blue><!--/* </xmp> */alert('hi');--></xmp>
+    
+    <style><!-- p { contentf: '</style>' } --></style>
+    <style>Foo<!-- > </style> --></style>
+    <textarea><!-- Zoicks </textarea>--></textarea>
+    <!-- An escaping text span start may share its U+002D HYPHEN-MINUS characters
+       - with its corresponding escaping text span end. -->
+    <script><!--></script>
+    <script><!---></script>
+    <script><!----></script>
+    </body>
+    </html>
+    <![CDATA[ No such thing as a CDATA> section in HTML ]]>
+    <script>a<b</script>
+    <img src=foo.gif /><a href=><a href=/>
+    <span title=malformed attribs' do=don't id=foo checked onclick="a<b">Bar</span>`);
+
+    expect(clean.replace(/\s+/g, '')).toBe(
+      `Clickyalert("&lt;b&gt;hi&lt;/b&gt;");&lt;divid=notarealtagonclick=notcode()&gt;&lt;notatag&lt;&lt;&lt;allinonetextblock&gt;&gt;&gt;&lt;%#somephpcodeherewrite("$horriblySyntacticConstruct1");%&gt;*/alert('hi');*/alert('hi');--&gt;*/alert('hi');--&gt;'}--&gt;--&gt;&lt;!--Zoicks--&gt;sectioninHTML]]&gt;<ahref=""></a><ahref="/">Bar</a>`
+    );
+  });
+});
+
+describe('sanitizeString', () => {
+  it('should not allow MathML and SVG', () => {
+    const tainted = `
+    Hi <a href="javascript:alert('hello')" target="_blank">this</a> is <i>in italics</i> and <ul>
+    <li> lists </li>
+    <li> are allowed</li>
+    </ul>
+    <p class="some-class">
+    as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
+    and <code>code.is.accepted too</code>
+    </p>
+    <svg><text>SVG isn't allowed</text></svg>
+    <math xmlns="http://www.w3.org/1998/Math/MathML">
+      <infinity />
+    </math>`;
+    const clean = `
+    Hi <a>this</a> is <i>in italics</i> and <ul>
+    <li> lists </li>
+    <li> are allowed</li>
+    </ul>
+    <p class="some-class">
+    as well. This is <b>Amazing</b> and this <strong>bold</strong> <br>
+    and <code>code.is.accepted too</code>
+    </p>`;
+
+    expect(sanitizeString(tainted).trimRight()).toBe(clean);
+  });
+});
diff --git a/server/sonar-web/src/main/js/helpers/sanitize.ts b/server/sonar-web/src/main/js/helpers/sanitize.ts
new file mode 100644
index 00000000000..79b4a95fa4f
--- /dev/null
+++ b/server/sonar-web/src/main/js/helpers/sanitize.ts
@@ -0,0 +1,32 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2021 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+import { sanitize } from 'dompurify';
+
+export function sanitizeStringRestricted(html: string) {
+  return sanitize(html, {
+    ALLOWED_TAGS: ['b', 'br', 'code', 'i', 'li', 'p', 'strong', 'ul', 'a'],
+    ALLOWED_ATTR: ['target', 'href']
+  });
+}
+
+export function sanitizeString(html: string) {
+  return sanitize(html, { USE_PROFILES: { html: true } });
+}
diff --git a/server/sonar-web/src/main/js/helpers/testMocks.ts b/server/sonar-web/src/main/js/helpers/testMocks.ts
index efc7915e897..5dbbc378f68 100644
--- a/server/sonar-web/src/main/js/helpers/testMocks.ts
+++ b/server/sonar-web/src/main/js/helpers/testMocks.ts
@@ -568,6 +568,17 @@ export function mockRule(overrides: Partial<T.Rule> = {}): T.Rule {
   } as T.Rule;
 }
 
+export function mockRuleActivation(overrides: Partial<T.RuleActivation> = {}): T.RuleActivation {
+  return {
+    createdAt: '2020-02-01',
+    inherit: 'NONE',
+    params: [{ key: 'foo', value: 'Bar' }],
+    qProfile: 'baz',
+    severity: 'MAJOR',
+    ...overrides
+  };
+}
+
 export function mockRuleDetails(overrides: Partial<T.RuleDetails> = {}): T.RuleDetails {
   return {
     key: 'squid:S1337',
-- 
2.39.5