atom / settings-view

🔧 Edit Atom settings
MIT License
272 stars 276 forks source link

Bump dompurify from 1.0.8 to 2.0.3 #1159

Closed dependabot[bot] closed 4 years ago

dependabot[bot] commented 4 years ago

Bumps dompurify from 1.0.8 to 2.0.3.

Release notes

Sourced from dompurify's releases.

DOMPurify 2.0.3

  • Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
  • Fixed a bug in the config parser leading to unexpected results

Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:

DOMPurify 2.0.2

Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.

This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.

Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.

DOMPurify 2.0.1

  • Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
  • Added tests to cover implemented fixes

Credits go to Michał Bentkowski (@SecurityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. :bow:

DOMPurify 2.0.0

Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.

  • Changed the default behavior for Trusted Types (See #361)
  • Added a new config flag to manually enable Trusted Types support
  • Added support for more attributes
  • Fixed a minor CSP warning

DOMPurify 1.0.11

  • Fixed a minor problem with persistent config flags
  • Fixed a problem with extraneous HTML elements
  • Fixed some minor issues in README and Demo
  • Expanded the array of permitted SVG properties
  • Expanded the array of permitted HTML properties

DOMPurify 1.0.10

  • Fixed a possible security problem when SAFE_FOR_TEMPLATES is true (default is false), thanks @masatokinugawa
  • Fixed a security problem when ALLOWED_TAGS or ADD_TAGS white-lists noembed or noscript (not the default), thanks @masatokinugawa
  • Added better internal code hardening, thanks @choumx
  • Extended the SVG attribute whitelist
  • Added more tests
  • Added better browser coverage for CI via BrowserStack
  • Cleaned up legacy browser coverage for CI via BrowserStack

DOMPurify 1.0.9

  • Extended array of tested browsers
  • Fixed a build error caused by npm@natives
  • Optimized handling of leading white-space
  • Squashed a memory leak
  • Removed a spurious alert from internal tests
Commits
  • d16ba74 Fixed Tests for Chrome 22
  • cf6eade Fixed a typo
  • 1882b8c Adjusted some more tests for Safari 8 and MSIE10
  • db5e71d Adjusted more tests for Safari 8
  • 2bcb446 Adjusted the tests to reflect the new "no SVG for Safari 8" situation
  • 59dbf8e Trying to target Safari 8 in yet a different way
  • 3b31f82 Cahned Safari 8 XSS fix again to be more accurate
  • 27a3e6a Used instanceof instead of typeof, duh
  • 01984d1 Made the Safari 8 XSS fix be more accurate
  • 6ff479b Made the Safari 8 check be more accurate
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/atom/settings-view/network/alerts).
dependabot[bot] commented 4 years ago

Superseded by #1160.