Bump dompurify from 2.0.12 to 2.2.7 in /server #911

dependabot · 2021-04-15T08:09:27Z

Bumps dompurify from 2.0.12 to 2.2.7.

Release notes

DOMPurify 2.2.7

Fixed handling of unsupported browsers, i.e. Safari 9 and older

Fixed various minor bugs and typos in README and examples

Added better handling of potentially harmful "is" attributes

Added better handling of lookupGetter functionality

DOMPurify 2.2.6

Added new mXSS prevention logic created by SecurityMB

DOMPurify 2.2.4

Fixed a new MathML-based bypass submitted by PewGrand

Fixed a new SVG-related bypass submitted by SecurityMB

Updated NodeJS CI to Node 14.x and Node 15.x

Cleaned up _forceRemove logic for better reliability

DOMPurify 2.2.3

Fixed an mXSS issue reported by PewGrand

Fixed a minor issue with the license header

Fixed a problem with overly-eager CSS stripping

Updated the README and removed an XSS warning

DOMPurify 2.2.2

Fixed an mXSS bypass dropped on us publicly via #482

Fixed an mXSS variation that was reported privately short after

Added dialog to permitted elements list

Fixed a small typo in the README

DOMPurify 2.2.0

Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7

Changed RETURN_DOM_IMPORT default to true to address said possible XSS

Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false

Fixed the tests to properly address the new default

DOMPurify 2.1.1

Removed some code targeting old Safari versions

Removed some code targeting older MS Edge versions

Re-added some code targeting older Chrome versions, thanks @terjanq

Added new tests and removed unused SAFE_FOR_JQUERY test cases

Added Node 14.x to existing test coverage

DOMPurify 2.1.0

Fixed several possible mXSS patterns, thanks @hackvertor

Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)

Removed several now useless mXSS checks

Updated the mXSS check for elements

Updated test cases to cover new sanitization strategy

Updated test website to use newer jQuery

Updated array of tested browsers and removed legacy browsers

Added "auto convert" checkbox to test website, thanks @hackvertor

... (truncated)

Commits

a9ad5be chore: added correct version tags for 2.2.7
aedf30c chore: preparing 2.2.7 release
5b3225e Merge pull request #522 from cure53/dependabot/npm_and_yarn/elliptic-6.5.4
aeacb6d chore(deps): bump elliptic from 6.5.3 to 6.5.4
a16346c Added better isSupported handling for Safari 9, see #516
9efbbcc Merge pull request #514 from IT-premium-team/bugfix/lookup-getter-fallback
6fed510 clear code
76c87d5 lookupGetter: notify about fallback value
736b8e6 add fallback for lookup-getter util
62e7d48 Merge pull request #509 from virajkulkarni14/patch-1
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [dompurify](https://github.com/cure53/DOMPurify) from 2.0.12 to 2.2.7. - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@2.0.12...2.2.7) Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2021-08-02T10:39:53Z