2 files changed, 7 insertions, 5 deletions

diff --git a/src/routes/event.ts b/src/routes/event.ts
index 2245009..cfd877e 100644
--- a/src/routes/event.ts
+++ b/src/routes/event.ts
@@ -2,7 +2,6 @@ import { Router, Response, Request } from "express";
 import multer from "multer";
 import Jimp from "jimp";
 import moment from "moment-timezone";
-import { marked } from "marked";
 import {
     generateEditToken,
     generateEventID,
@@ -26,6 +25,7 @@ import getConfig from "../lib/config.js";
 import { sendEmailFromTemplate } from "../lib/email.js";
 import crypto from "crypto";
 import ical from "ical";
+import { markdownToSanitizedHTML } from "../util/markdown.js";
 
 const config = getConfig();
 
@@ -148,7 +148,7 @@ router.post(
                 eventID,
                 config.general.domain,
                 publicKey,
-                marked.parse(eventData.eventDescription),
+                markdownToSanitizedHTML(eventData.eventDescription),
                 eventData.eventName,
                 eventData.eventLocation,
                 eventImageFilename,
diff --git a/src/routes/frontend.ts b/src/routes/frontend.ts
index cdf314c..c405572 100644
--- a/src/routes/frontend.ts
+++ b/src/routes/frontend.ts
@@ -1,7 +1,7 @@
 import { Router, Request, Response } from "express";
 import moment from "moment-timezone";
 import { marked } from "marked";
-import { renderPlain } from "../util/markdown.js";
+import { markdownToSanitizedHTML, renderPlain } from "../util/markdown.js";
 import getConfig, { frontendConfig } from "../lib/config.js";
 import { addToLog, exportICal } from "../helpers.js";
 import Event from "../models/Event.js";
@@ -91,7 +91,7 @@ router.get("/:eventID", async (req: Request, res: Response) => {
             eventHasBegun = true;
         }
         let fromNow = moment.tz(event.start, event.timezone).fromNow();
-        let parsedDescription = marked.parse(event.description);
+        let parsedDescription = markdownToSanitizedHTML(event.description);
         let eventEditToken = event.editToken;
 
         let escapedName = event.name.replace(/\s+/g, "+");
@@ -262,7 +262,9 @@ router.get("/group/:eventGroupID", async (req: Request, res: Response) => {
         if (!eventGroup) {
             return res.status(404).render("404", frontendConfig());
         }
-        const parsedDescription = marked.parse(eventGroup.description);
+        const parsedDescription = markdownToSanitizedHTML(
+            eventGroup.description,
+        );
         const eventGroupEditToken = eventGroup.editToken;
         const escapedName = eventGroup.name.replace(/\s+/g, "+");
         const eventGroupHasCoverImage = !!eventGroup.image;