* Switch to dompurify for sanitizing markdown content
Switches us from using `insane` to instead use `dompurify`, which seems to be better maintained and also has some nice features, such as built-in trusted types support
I've tried to port over our existing sanitizer settings as best as possible, but there's not always a 1:1 mapping between how insane works and how dompurify does. I'd like to get this change in early in the iteration to catch potential regressions
* Remove logging and renaming param
* Move dompurify to browser layer
* Fixing tests and how we check valid attributes
* Allow innerhtml in specific files
* Use isEqualNode instead of checking innerHTML directly
innerHTML can return different results on different browsers. Use `isEqualNode` instead
* Reapply fix for trusted types
* Enable ALLOW_UNKNOWN_PROTOCOLS
I beleive this is required since we allow links to commands and loading images over remote
* in -> of
* Fix check of protocol
* Enable two more safe tags
This implies a few things:
- tsec's output is clear so it can be included as a CI check
- code introducing new violations need to update the exemption list,
making it clear there is something security-sensitive about the code
