diff --git a/www/common/diffMarked.js b/www/common/diffMarked.js
index 891020ba5..467dfa3e6 100644
--- a/www/common/diffMarked.js
+++ b/www/common/diffMarked.js
@@ -28,12 +28,17 @@ define([
     };
 
     Marked.setOptions({
+        //sanitize: true, // Disable HTML
         renderer: renderer,
         highlight: highlighter(),
     });
 
-    DiffMd.render = function (md) {
-        return Marked(md);
+
+
+    DiffMd.render = function (md, sanitize) {
+        return Marked(md, {
+            sanitize: sanitize
+        });
     };
 
     var mediaMap = {};
@@ -103,6 +108,7 @@ define([
         'APPLET',
         'VIDEO', // privacy implications of videos are the same as images
         'AUDIO', // same with audio
+        'SVG'
     ];
     var unsafeTag = function (info) {
         /*if (info.node && $(info.node).parents('media-tag').length) {
@@ -117,10 +123,10 @@ define([
         }
         if (['addElement', 'replaceElement'].indexOf(info.diff.action) !== -1) {
             var msg = "Rejecting forbidden tag of type (%s)";
-            if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName) !== -1) {
+            if (info.diff.element && forbiddenTags.indexOf(info.diff.element.nodeName.toUpperCase()) !== -1) {
                 console.log(msg, info.diff.element.nodeName);
                 return true;
-            } else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName) !== -1) {
+            } else if (info.diff.newValue && forbiddenTags.indexOf(info.diff.newValue.nodeName.toUpperCase()) !== -1) {
                 console.log("Replacing restricted element type (%s) with PRE", info.diff.newValue.nodeName);
                 info.diff.newValue.nodeName = 'PRE';
             }
@@ -142,7 +148,7 @@ define([
 
     var removeForbiddenTags = function (root) {
         if (!root) { return; }
-        if (forbiddenTags.indexOf(root.nodeName) !== -1) { removeNode(root); }
+        if (forbiddenTags.indexOf(root.nodeName.toUpperCase()) !== -1) { removeNode(root); }
         slice(root.children).forEach(removeForbiddenTags);
     };
 
diff --git a/www/contacts/messenger-ui.js b/www/contacts/messenger-ui.js
index d90509676..b4e546a34 100644
--- a/www/contacts/messenger-ui.js
+++ b/www/contacts/messenger-ui.js
@@ -143,7 +143,7 @@ define([
             });
             try {
                 var $d = $(d);
-                DiffMd.apply(DiffMd.render(md || ''), $d, common);
+                DiffMd.apply(DiffMd.render(md || '', true), $d, common);
                 $d.addClass("cp-app-contacts-content");
 
                 // override link clicking, because we're in an iframe