Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade dompurify from 2.0.1 to 2.0.8 #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade dompurify from 2.0.1 to 2.0.8 #1

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade dompurify from 2.0.1 to 2.0.8.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
  • The recommended version is 7 versions ahead of your current version.
  • The recommended version was released 3 months ago, on 2020-02-03.

The recommended version fixes:

Severity Issue Exploit Maturity
Cross-site Scripting (XSS)
SNYK-JS-DOMPURIFY-474012		 No Known Exploit
Cross-site Scripting (XSS)
SNYK-JS-DOMPURIFY-468981		 No Known Exploit
Release notes
Package name: dompurify
  • 2.0.8 - 2020-02-03
    • Fixed a bypass that can be abused in case SAFE_FOR_JQUERY is used with jQuery 3.x, thanks @masatokinugawa 🙇‍♀️
    • Added new elements to whitelist, thanks @chris-morgan
    • Added first layer of prototype poisoning protection, thanks @dejang
    • Added better controls for uponSanitizeAttribute, thanks @devinrhode2
    • Added demo for node removal, thanks @mikesnare
  • 2.0.7 - 2019-10-21
    • Fixed several mXSS vectors spotted , thanks @masatokinugawa 🙇‍♂️
    • Fixed a minor crash affecting MSIE11, see #372
    • Fixed some typos and adjusted the README
  • 2.0.6 - 2019-10-10
    • Enhanced the checks for SVG-/MathML-based mXSS
    • Removed several obtrusive checks and guards that are not needed any longer
    • Added better test coverage
    • Added better handling of situations where element removal causes mXSS
    • Added better handling of content type switches causing mXSS
  • 2.0.5 - 2019-10-08
    • Fixed a logical issue causing overly aggressive SVG removal spotted by @thorn0
  • 2.0.4 - 2019-10-07

    Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.

    The fixes were reviewed and no new bypasses could be spotted at the moment.
    Thanks, @masatokinugawa 🙇‍♂️ 🙇‍♀️!

    The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.

    Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.

  • 2.0.3 - 2019-09-25
    • Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
    • Fixed a bug in the config parser leading to unexpected results

    Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

  • 2.0.2 - 2019-09-23

    Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.

    This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.

    Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.

  • 2.0.1 - 2019-09-19
    • Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
    • Added tests to cover implemented fixes

    Credits go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. 🙇

from dompurify GitHub release notes
Commit messages
Package name: dompurify
  • 211f0c8 Prepared 2.0.8 release
  • b9536de Preparing 2.0.8 release
  • 0bb582d Added a fix for a SAFE_FOR_JQUERY bypass found by Masato Kinugawa
  • 669b35a Merge pull request #389 from mikesnare/feature/node-removal-demo
  • 7880e56 Adding a new example for node removal
  • 2f38855 Merge pull request #386 from dejang/shared-utilities
  • cae6f3e Shared libs to prevent prototype poisoning
  • 2613dcc Merge pull request #385 from devinrhode2/uponSanitizeAttr-forceKeepAttr
  • 846698c Allow uponSanitizeAttribute to set hookEvent.forceKeepAttr to true/false
  • 0080b16 run prettier on readme
  • 36662ce See #380
  • a36029f Fix #380
  • 35edff5 Force rebuild
  • 3b0d6c5 Merge pull request #378 from chris-morgan/picture
  • b7aa332 Fixed a typo
  • 6418e7d Added @oreoshake to donor mentions
  • 224add5 Support the <picture> element
  • d4bb7d6 Update package-lock.json for 2.0.7 release
  • 3bc348b See #376
  • 294e721 Merge pull request #376 from koto/ttfix
  • 61ceff7 Updated the demo and the code to the current version of the Trusted
  • 6206687 Added dcramer as first sponsor
  • 471990a Update FUNDING.yml
  • 3a30371 Attempting a more reasonable fix for #372 and #373

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@snyk-bot