diff --git a/package.json b/package.json
index a07e2236aa..9b260e341a 100644
--- a/package.json
+++ b/package.json
@@ -68,7 +68,7 @@
     "react-addons-css-transition-group": "15.3.2",
     "react-dom": "^15.4.0",
     "react-gemini-scrollbar": "matrix-org/react-gemini-scrollbar#5e97aef",
-    "sanitize-html": "^1.11.1",
+    "sanitize-html": "^1.14.1",
     "text-encoding-utf-8": "^1.0.1",
     "velocity-vector": "vector-im/velocity#059e3b2",
     "whatwg-fetch": "^1.0.0"
diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index b9d0ce67e8..8ae2c0a4a8 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -87,7 +87,7 @@ var sanitizeHtmlParams = {
         // deliberately no h1/h2 to stop people shouting.
         'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol',
         'nl', 'li', 'b', 'i', 'u', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div',
-        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
+        'table', 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre', 'img',
     ],
     allowedAttributes: {
         // custom ones first:
@@ -102,10 +102,10 @@ var sanitizeHtmlParams = {
     // URL schemes we permit
     allowedSchemes: ['http', 'https', 'ftp', 'mailto'],
 
-    // DO NOT USE. sanitize-html allows all URL starting with '//'
-    // so this will always allow links to whatever scheme the
-    // host page is served over.
-    allowedSchemesByTag: {},
+    allowedSchemesByTag: {
+        img: [ 'data', 'mxc' ],
+    },
+    allowProtocolRelative: false,
 
     transformTags: { // custom to matrix
         // add blank targets to all hyperlinks except vector URLs