Fix XSS vulnerability with custom emojis

package.json

@@ -59,6 +59,7 @@
     "@fortawesome/free-solid-svg-icons": "^5.13.0",
     "@popperjs/core": "^2.4.0",
     "@types/twemoji": "^12.1.1",
+    "escape-html": "^1.0.3",
     "focus-trap": "^5.1.0",
     "fuzzysort": "^1.1.4",
     "tiny-emitter": "^2.1.0",

src/emoji.ts

@@ -1,4 +1,5 @@
 import { TinyEmitter as Emitter } from 'tiny-emitter';
+import escape from 'escape-html';
 import twemoji from 'twemoji';
 
 import { EMOJI, HIDE_PREVIEW, SHOW_PREVIEW } from './events';
@@ -30,7 +31,9 @@ export class Emoji {
     if (this.emoji.custom) {
       content = this.lazy
         ? smile
-        : `<img class="${CLASS_CUSTOM_EMOJI}" src="${this.emoji.emoji}">`;
+        : `<img class="${CLASS_CUSTOM_EMOJI}" src="${escape(
+            this.emoji.emoji
+          )}">`;
     } else if (this.options.style === 'twemoji') {
       content = this.lazy
         ? smile

src/lazyLoad.ts

@@ -1,3 +1,4 @@
+import escape from 'escape-html';
 import twemoji from 'twemoji';
 
 import { CLASS_CUSTOM_EMOJI } from './classes';
@@ -25,7 +26,7 @@ function lazyLoadCustomEmoji(element: HTMLElement): void {
   const img = createElement('img', CLASS_CUSTOM_EMOJI) as HTMLImageElement;
 
   if (element.dataset.emoji) {
-    img.src = element.dataset.emoji;
+    img.src = escape(element.dataset.emoji);
     element.innerText = '';
     element.appendChild(img);
   }

src/preview.ts

@@ -1,5 +1,6 @@
 import { TinyEmitter as Emitter } from 'tiny-emitter';
 
+import escape from 'escape-html';
 import twemoji from 'twemoji';
 
 import { SHOW_PREVIEW, HIDE_PREVIEW } from './events';
@@ -40,7 +41,9 @@ export class EmojiPreview {
     let content = emoji.emoji;
 
     if (emoji.custom) {
-      content = `<img class="${CLASS_CUSTOM_EMOJI}" src="${emoji.emoji}">`;
+      content = `<img class="${CLASS_CUSTOM_EMOJI}" src="${escape(
+        emoji.emoji
+      )}">`;
     } else if (this.options.style === 'twemoji') {
       content = twemoji.parse(emoji.emoji, this.options.twemojiOptions);
     }