[Snyk] Upgrade dompurify from 2.0.1 to 2.0.8 #1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade dompurify from 2.0.1 to 2.0.8.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.The recommended version fixes:
SNYK-JS-DOMPURIFY-474012
SNYK-JS-DOMPURIFY-468981
Release notes
Package name: dompurify
SAFE_FOR_JQUERY
is used with jQuery 3.x, thanks @masatokinugawa 🙇♀️uponSanitizeAttribute
, thanks @devinrhode2Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.
The fixes were reviewed and no new bypasses could be spotted at the moment.
Thanks, @masatokinugawa 🙇♂️ 🙇♀️!
The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.
Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.
Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇♂️ 🙇♀️
Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.
This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.
Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.
Credits go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. 🙇
Commit messages
Package name: dompurify
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs