Update dependency dompurify to v2.5.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dompurify	2.0.12 -> 2.5.4

---

Release Notes

cure53/DOMPurify (dompurify)

v2.5.4: DOMPurify 2.5.4

Compare Source

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

• Fixed a licensing issue spotted and reported by @​george-thomas-hill

v2.4.6: DOMPurify 2.4.6

Compare Source

• Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

• Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

• Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
• Added better support for shadowrootmode, thanks @​mfreed7

v2.4.3: DOMPurify 2.4.3

Compare Source

• Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

• Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
• Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

• Added new config option ALLOWED_NAMESPACES for better XML handling, thanks @​kevin-deyoungster @​tosmolka
• Added better detection of template literals when SAFE_FOR_TEMPLATES is true
• Fixed an exception caused by DOM clobbering, thanks @​masatokinugawa
• Bumped some dependencies, thanks @​marcpenya-tf

v2.4.0: DOMPurify 2.4.0

Compare Source

• Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

• Fixed an issue in 2.3.11 causing errors w. TypeScript, see #​712, thanks @​Mirco469, @​brentkeller, @​aryanisml

v2.3.11: DOMPurify 2.3.11

Compare Source

• Added generated type definitions for better compatibility
• Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
• Updated README and config documentation, thanks @​0xedward
• Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

• Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

• Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
• Bumped some dependencies, thanks @​is2ei
• Included github-actions in the dependabot config, thanks @​nathannaveen

v2.3.8: DOMPurify 2.3.8

Compare Source

• Cleaned up a minor issue with the 2.3.7 release, thanks @​johnbirds

No other changes compared to 2.3.7 release, which entail:

• Fixes around a bug in Safari, thanks @​sybrew
• Slightly improved performance, thanks @​tiny-ben-tran
• Lots of chores, bumps and typo fixes, thanks @​is2ei
• Removed unnecessary string trimming, thanks @​christopherehlen

v2.3.7

Compare Source

v2.3.6: DOMPurify 2.3.6

Compare Source

• Added an option to allow HTML5 doctypes, thanks @​tosmolka
• Bumped several dependencies, thanks @​is2ei
• Updated documentation to cover recently added flags, thanks @​is2ei

v2.3.5: DOMPurify 2.3.5

Compare Source

• Performed several chores and cleanups, thanks @​is2ei
• Fixed a bug when working with Trusted Types, thanks @​tosmolka
• Fixed a bug with weird behavior on insecure nodes in IN_PLACE mode, thanks @​tosmolka
• Added more SVG attributes to allow-list, thanks @​rzhade3

v2.3.4: DOMPurify 2.3.4

Compare Source

• Added support for Custom Elements, thanks @​franktopel
• Added new config settings to control Custom Element sanitizing, thanks @​franktopel
• Added faster clobber checks, thanks @​GrantGryczan
• Allow-listed SVG feImage elements, thanks @​ydaniv
• Updated test suite
• Update supported Node versions
• Updated README

v2.3.3: DOMPurify 2.3.3

Compare Source

• Fixed a bug in the handing of PARSER_MEDIA_TYPE spotted by @​securitum-mb
• Adjusted the tests for MSIE to make sure the results are as expected now

v2.3.2: DOMPurify 2.3.2

Compare Source

• Added new config option PARSER_MEDIA_TYPE, thanks @​tosmolka

v2.3.1: DOMPurify 2.3.1

Compare Source

• Added code to make FORBID_CONTENTS setting configurable
• Added role to URI-safe attributes
• Added more paranoid handling for template elements

v2.3.0: DOMPurify 2.3.0

Compare Source

• Added better handling of document creation on Firefox
• Added better handling of version numbers in license file
• Added two new browser versions to test suite config
• Fixed a bug with handling of custom data attributes

v2.2.9: DOMPurify 2.2.9

Compare Source

• Fixed some minor issues related to the NAMESPACE config
• Fixed some minor issues relating to empty input
• Fixed some minor issues relating to handling of invalid XML

v2.2.8: DOMPurify 2.2.8

Compare Source

• Added NAMESPACE config option, thanks @​NateScarlet
• Added better fallback for older browsers & PhantomJS, thanks @​albanx
• Extended allow-list for SVG attributes a bit

v2.2.7: DOMPurify 2.2.7

Compare Source

• Fixed handling of unsupported browsers, i.e. Safari 9 and older
• Fixed various minor bugs and typos in README and examples
• Added better handling of potentially harmful "is" attributes
• Added better handling of lookupGetter functionality

v2.2.6: DOMPurify 2.2.6

Compare Source

• Added new mXSS prevention logic created by SecurityMB

v2.2.5

Compare Source

v2.2.4: DOMPurify 2.2.4

Compare Source

• Fixed a new MathML-based bypass submitted by PewGrand
• Fixed a new SVG-related bypass submitted by SecurityMB
• Updated NodeJS CI to Node 14.x and Node 15.x
• Cleaned up _forceRemove logic for better reliability

v2.2.3: DOMPurify 2.2.3

Compare Source

• Fixed an mXSS issue reported by PewGrand
• Fixed a minor issue with the license header
• Fixed a problem with overly-eager CSS stripping
• Updated the README and removed an XSS warning

v2.2.2: DOMPurify 2.2.2

Compare Source

• Fixed an mXSS bypass dropped on us publicly via #​482
• Fixed an mXSS variation that was reported privately short after
• Added dialog to permitted elements list
• Fixed a small typo in the README

v2.2.1

Compare Source

v2.2.0: DOMPurify 2.2.0

Compare Source

• Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @​neilj and @​mfreed7
• Changed RETURN_DOM_IMPORT default to true to address said possible XSS
• Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
• Fixed the tests to properly address the new default

v2.1.1: DOMPurify 2.1.1

Compare Source

• Removed some code targeting old Safari versions
• Removed some code targeting older MS Edge versions
• Re-added some code targeting older Chrome versions, thanks @​terjanq
• Added new tests and removed unused SAFE_FOR_JQUERY test cases
• Added Node 14.x to existing test coverage

v2.1.0: DOMPurify 2.1.0

Compare Source

• Fixed several possible mXSS patterns, thanks @​hackvertor
• Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
• Removed several now useless mXSS checks
• Updated the mXSS check for elements
• Updated test cases to cover new sanitization strategy
• Updated test website to use newer jQuery
• Updated array of tested browsers and removed legacy browsers
• Added "auto convert" checkbox to test website, thanks @​hackvertor

v2.0.17: DOMPurify 2.0.17

Compare Source

• Fixed another bypass causing mXSS by using MathML

v2.0.16: DOMPurify 2.0.16

Compare Source

• Fixed an mXSS-based bypass caused by nested forms inside MathML
• Fixed a security error thrown on older Chrome on Android versions, see #​470

Credits for the bypass go to Michał Bentkowski (@​securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

v2.0.15: DOMPurify 2.0.15

Compare Source

• Added a renovated test suite, thanks @​peernohell
• Fixed some minor linter warnings

v2.0.14: DOMPurify 2.0.14

Compare Source

• Fixed a problem with the documentMode default value

v2.0.13

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.