From dfa97e84523089b0a39de0f769282f756f99f8c1 Mon Sep 17 00:00:00 2001
From: Luke Barnard <lukeb@openmarket.com>
Date: Mon, 10 Jul 2017 17:48:01 +0100
Subject: [PATCH] Add comment

---
 src/HtmlUtils.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index 1036fbf663..9041e88594 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -184,6 +184,9 @@ const sanitizeHtmlParams = {
             return { tagName: tagName, attribs : attribs };
         },
         'img': function(tagName, attribs) {
+            // Strip out imgs that aren't `mxc` here instead of using allowedSchemesByTag
+            // because transformTags is used _before_ we filter by allowedSchemesByTag and
+            // we don't want to allow images with `https?` `src`s.
             if (!attribs.src.startsWith('mxc://')) {
                 return { tagName, attribs: {}};
             }