Also check for unsupported tags in descendants

src/js/i18n.js

@@ -75,6 +75,20 @@ const safeTextToTextNode = function(text) {
     return document.createTextNode(expandHtmlEntities(text));
 };
 
+const sanitizeElement = function(node) {
+    if ( allowedTags.has(node.localName) === false ) { return null; }
+    node.removeAttribute('style');
+    let child = node.firstElementChild;
+    while ( child !== null ) {
+        const next = child.nextElementSibling;
+        if ( sanitizeElement(child) === null ) {
+            child.remove();
+        }
+        child = next;
+    }
+    return node;
+};
+
 const safeTextToDOM = function(text, parent) {
     if ( text === '' ) { return; }
 
@@ -97,6 +111,7 @@ const safeTextToDOM = function(text, parent) {
         }
         return;
     }
+
     // Slow path.
     // `<p>` no longer allowed. Code below can be removed once all <p>'s are
     // gone from translation files.
@@ -105,17 +120,21 @@ const safeTextToDOM = function(text, parent) {
     // Parse allowed HTML tags.
     const domParser = new DOMParser();
     const parsedDoc = domParser.parseFromString(text, 'text/html');
-    for (;;) {
+    let node = parsedDoc.body.firstChild;
-        const node = parsedDoc.body.firstChild;
+    while ( node !== null ) {
-        if ( node === null ) { break; }
+        const next = node.nextSibling;
-        if (
+        switch ( node.nodeType ) {
-            node.nodeType === 3 ||
+        case 1: // element
-            node.nodeType === 1 && allowedTags.has(node.localName)
+            if ( sanitizeElement(node) === null ) { break; }
-        ) {
             parent.appendChild(node);
-        } else {
+            break;
-            node.remove();
+        case 3: // text
+            parent.appendChild(node);
+            break;
+        default:
+            break;
         }
+        node = next;
     }
 };