diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -20,6 +20,7 @@
     "clipboard": "^2.0.4",
     "d3": "^5.9.2",
     "datatables.net-bs4": "^1.10.19",
+    "dompurify": "^1.0.10",
     "elementsfrompoint-polyfill": "^1.0.0",
     "font-awesome": "^4.7.0",
     "highlight.js": "^9.15.6",
@@ -34,7 +35,6 @@
     "pdfjs-dist": "^2.0.943",
     "popper.js": "^1.15.0",
     "showdown": "^1.9.0",
-    "showdown-xss-filter": "^0.2.0",
     "typeface-alegreya": "0.0.69",
     "typeface-alegreya-sans": "^0.0.72",
     "url-search-params-polyfill": "^5.1.0",
diff --git a/swh/web/assets/src/bundles/webapp/readme-rendering.js b/swh/web/assets/src/bundles/webapp/readme-rendering.js
--- a/swh/web/assets/src/bundles/webapp/readme-rendering.js
+++ b/swh/web/assets/src/bundles/webapp/readme-rendering.js
@@ -1,25 +1,39 @@
 /**
- * Copyright (C) 2018  The Software Heritage developers
+ * Copyright (C) 2018-2019  The Software Heritage developers
  * See the AUTHORS file at the top-level directory of this distribution
  * License: GNU Affero General Public License version 3, or any later version
  * See top-level LICENSE file for more information
  */
 
+import DOMPurify from 'dompurify';
+
 import {handleFetchError} from 'utils/functions';
 
+DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
+  if (node.nodeName === 'IMG' && data.attrName === 'src') {
+    // remove leading slash from image src to fix rendering
+    if (data.attrValue.startsWith('/')) {
+      data.attrValue = data.attrValue.slice(1);
+    }
+  }
+});
+
+export function filterXSS(html) {
+  return DOMPurify.sanitize(html);
+}
+
 export async function renderMarkdown(domElt, markdownDocUrl) {
 
   let showdown = await import(/* webpackChunkName: "showdown" */ 'utils/showdown');
-  let xssFilter = require('showdown-xss-filter');
 
   $(document).ready(() => {
-    let converter = new showdown.Converter({tables: true, extensions: [xssFilter]});
+    let converter = new showdown.Converter({tables: true});
     fetch(markdownDocUrl)
       .then(handleFetchError)
       .then(response => response.text())
       .then(data => {
         $(domElt).addClass('swh-showdown');
-        $(domElt).html(converter.makeHtml(data));
+        $(domElt).html(filterXSS(converter.makeHtml(data)));
       })
       .catch(() => {
         $(domElt).text('Readme bytes are not available');
@@ -36,7 +50,7 @@
   let orgDocument = parser.parse(orgDocData, {toc: false});
   let orgHTMLDocument = orgDocument.convert(org.ConverterHTML, {});
   $(domElt).addClass('swh-org');
-  $(domElt).html(orgHTMLDocument.toString());
+  $(domElt).html(filterXSS(orgHTMLDocument.toString()));
   // remove toc and section numbers to get consistent
   // with other readme renderings
   $('.swh-org ul').first().remove();
diff --git a/swh/web/templates/includes/readme-display.html b/swh/web/templates/includes/readme-display.html
--- a/swh/web/templates/includes/readme-display.html
+++ b/swh/web/templates/includes/readme-display.html
@@ -19,7 +19,7 @@
 
   {% if readme_html %}
     <script>
-      $('#readme').html({{ readme_html|jsonify }});
+      $('#readme').html(swh.webapp.filterXSS({{ readme_html|jsonify }}));
     </script>
   {% elif readme_name.lower == 'readme' or readme_name.lower == 'readme.txt' %}
     <script>
diff --git a/yarn.lock b/yarn.lock
--- a/yarn.lock
+++ b/yarn.lock
@@ -1997,7 +1997,7 @@
   dependencies:
     delayed-stream "~1.0.0"
 
-commander@2, commander@^2.19.0, commander@^2.9.0:
+commander@2, commander@^2.19.0:
   version "2.19.0"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.19.0.tgz#f6198aa84e5b83c46054b94ddedbfed5ee9ff12a"
   integrity sha512-6tvAOO+D6OENvRAh524Dh9jcfKTYDQAqvqezbCW82xj5X0pSrcpxtvRKHLG0yBY6SD7PSDrJaj+0AiOcKVd1Xg==
@@ -2393,11 +2393,6 @@
   resolved "https://registry.yarnpkg.com/cssesc/-/cssesc-3.0.0.tgz#37741919903b868565e1c09ea747445cd18983ee"
   integrity sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==
 
-cssfilter@^0.0.8:
-  version "0.0.8"
-  resolved "https://registry.yarnpkg.com/cssfilter/-/cssfilter-0.0.8.tgz#6564caccba8a76dd9b4b920668b9fb7fda50e54c"
-  integrity sha1-ZWTKzLqKdt2bS5IGaLn7f9pQ5Uw=
-
 cssnano-preset-default@^4.0.7:
   version "4.0.7"
   resolved "https://registry.yarnpkg.com/cssnano-preset-default/-/cssnano-preset-default-4.0.7.tgz#51ec662ccfca0f88b396dcd9679cdb931be17f76"
@@ -2994,6 +2989,11 @@
   dependencies:
     domelementtype "1"
 
+dompurify@^1.0.10:
+  version "1.0.10"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-1.0.10.tgz#18d7353631c86ee25049e38fbca8c6b2c5a2af87"
+  integrity sha512-huhl3DSWX5LaA7jDtnj3XQdJgWW1wYouNW7N0drGzQa4vEUSVWyeFN+Atx6HP4r5cang6oQytMom6I4yhGJj5g==
+
 domutils@^1.5.1, domutils@^1.7.0:
   version "1.7.0"
   resolved "https://registry.yarnpkg.com/domutils/-/domutils-1.7.0.tgz#56ea341e834e06e6748af7a1cb25da67ea9f8c2a"
@@ -7753,13 +7753,6 @@
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-1.0.0.tgz#da42f49740c0b42db2ca9728571cb190c98efea3"
   integrity sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=
 
-showdown-xss-filter@^0.2.0:
-  version "0.2.0"
-  resolved "https://registry.yarnpkg.com/showdown-xss-filter/-/showdown-xss-filter-0.2.0.tgz#39857bae56d6184979f26876b187bb87e9f4f04c"
-  integrity sha1-OYV7rlbWGEl58mh2sYe7h+n08Ew=
-  dependencies:
-    xss "0.2.x"
-
 showdown@^1.9.0:
   version "1.9.0"
   resolved "https://registry.yarnpkg.com/showdown/-/showdown-1.9.0.tgz#d49d2a0b6db21b7c2e96ef855f7b3b2a28ef46f4"
@@ -9146,14 +9139,6 @@
   resolved "https://registry.yarnpkg.com/xdg-basedir/-/xdg-basedir-3.0.0.tgz#496b2cc109eca8dbacfe2dc72b603c17c5870ad4"
   integrity sha1-SWsswQnsqNus/i3HK2A8F8WHCtQ=
 
-xss@0.2.x:
-  version "0.2.18"
-  resolved "https://registry.yarnpkg.com/xss/-/xss-0.2.18.tgz#6df5fb5ca28bdc51e78624ff63f19e13ebd73bab"
-  integrity sha1-bfX7XKKL3FHnhiT/Y/GeE+vXO6s=
-  dependencies:
-    commander "^2.9.0"
-    cssfilter "^0.0.8"
-
 xtend@^4.0.0, xtend@^4.0.1, xtend@~4.0.1:
   version "4.0.1"
   resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.1.tgz#a5c6d532be656e23db820efb943a1f04998d63af"