diff --git a/lib/sanitize.js b/lib/sanitize.js
index 42ffa5bc..5fab819a 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -31,7 +31,11 @@ import DOMPurify from 'dompurify';
 export function sanitize(input) {
   const window = new JSDOM('').window;
   const purify = DOMPurify(window);
-  return purify.sanitize(input, { ADD_TAGS: ['foreignObject'] });
+  return purify.sanitize(input, {
+    ADD_TAGS: ['foreignObject'],
+    // Dissalow all xlinks in incoming SVG
+    FORBID_ATTR: ['xlink:href']
+  });
 }
 
 export default sanitize;