Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump dompurify from 2.0.8 to 2.2.6 in /back-end #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 18, 2020

Bumps dompurify from 2.0.8 to 2.2.6.

Release notes

Sourced from dompurify's releases.

DOMPurify 2.2.6

  • Added new mXSS prevention logic created by SecurityMB

DOMPurify 2.2.4

  • Fixed a new MathML-based bypass submitted by PewGrand
  • Fixed a new SVG-related bypass submitted by SecurityMB
  • Updated NodeJS CI to Node 14.x and Node 15.x
  • Cleaned up _forceRemove logic for better reliability

DOMPurify 2.2.3

  • Fixed an mXSS issue reported by PewGrand
  • Fixed a minor issue with the license header
  • Fixed a problem with overly-eager CSS stripping
  • Updated the README and removed an XSS warning

DOMPurify 2.2.2

  • Fixed an mXSS bypass dropped on us publicly via #482
  • Fixed an mXSS variation that was reported privately short after
  • Added dialog to permitted elements list
  • Fixed a small typo in the README

DOMPurify 2.2.0

  • Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
  • Changed RETURN_DOM_IMPORT default to true to address said possible XSS
  • Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
  • Fixed the tests to properly address the new default

DOMPurify 2.1.1

  • Removed some code targeting old Safari versions
  • Removed some code targeting older MS Edge versions
  • Re-added some code targeting older Chrome versions, thanks @terjanq
  • Added new tests and removed unused SAFE_FOR_JQUERY test cases
  • Added Node 14.x to existing test coverage

DOMPurify 2.1.0

  • Fixed several possible mXSS patterns, thanks @hackvertor
  • Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
  • Removed several now useless mXSS checks
  • Updated the mXSS check for elements
  • Updated test cases to cover new sanitization strategy
  • Updated test website to use newer jQuery
  • Updated array of tested browsers and removed legacy browsers
  • Added "auto convert" checkbox to test website, thanks @hackvertor

DOMPurify 2.0.17

  • Fixed another bypass causing mXSS by using MathML

DOMPurify 2.0.16

  • Fixed an mXSS-based bypass caused by nested forms inside MathML
  • Fixed a security error thrown on older Chrome on Android versions, see #470

... (truncated)

Commits
  • b11cb72 chore: Preparing 2.2.6 release after failed 2.2.5 attempt /2
  • 395cc83 chore: Preparing 2.2.6 release after failed 2.2.5 attempt
  • 8a1c887 chore: Preparing 2.2.5 release
  • 77e740e Merge pull request #496 from securityMB/main
  • 9dd47cb Create a polyfill for lookupGetter to make IE10 happy
  • 8e29990 fix: Made use of proper helper method to get parentNode
  • 7e3a705 fix: Fixed an issue with parent node mapping in MSIE11
  • d1cf8c6 test: Fixed additional Edge 17 and MSIE11 tests
  • 1446372 test: Fixed a bunch of Edge 17 and MSIE11 tests
  • 7d9bc6a fix: Removed usage of has()
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants