diff --git a/www/pad/main.js b/www/pad/main.js
index d47c207e7..817607ded 100644
--- a/www/pad/main.js
+++ b/www/pad/main.js
@@ -313,6 +313,10 @@ define([
                 if (!readOnly && !initializing) {
                     userDocStateDom.setAttribute("contenteditable", "true"); // lol wtf
                 }
+                $(userDocStateDom).find('script, applet, object, iframe').remove();
+                $(userDocStateDom).find('a').filter(function (i, x) {
+                    return ! /^(https|http|ftp):\/\/[^\s\n]*$/.test(x.getAttribute('href'));
+                }).remove();
                 var patch = (DD).diff(inner, userDocStateDom);
                 (DD).apply(inner, patch);
                 if (readOnly) {
@@ -625,8 +629,10 @@ define([
                         if (stringify(hjson2) !== stringify(hjson)) {
                             console.log('err');
                             console.error("shjson2 !== shjson");
-                            Cryptpad.errorLoadingScreen(Messages.wrongApp);
-                            throw new Error();
+                            // TODO(cjd): This is removed because the XSS filter in applyHjson()
+                            //            is applied on incoming content so it causes this to fail.
+                            //Cryptpad.errorLoadingScreen(Messages.wrongApp);
+                            //throw new Error();
                         }
                     }
                 } else {