Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
Fixed a bug in the config parser leading to unexpected results
Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:
DOMPurify 2.0.2
Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.
This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.
Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.
DOMPurify 2.0.1
Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
Added tests to cover implemented fixes
Credits go to Michał Bentkowski (@SecurityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. :bow:
DOMPurify 2.0.0
Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.
Changed the default behavior for Trusted Types (See #361)
Added a new config flag to manually enable Trusted Types support
Added support for more attributes
Fixed a minor CSP warning
DOMPurify 1.0.11
Fixed a minor problem with persistent config flags
Fixed a problem with extraneous HTML elements
Fixed some minor issues in README and Demo
Expanded the array of permitted SVG properties
Expanded the array of permitted HTML properties
DOMPurify 1.0.10
Fixed a possible security problem when SAFE_FOR_TEMPLATES is true (default is false), thanks @masatokinugawa
Fixed a security problem when ALLOWED_TAGS or ADD_TAGS white-lists noembed or noscript (not the default), thanks @masatokinugawa
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/atom/settings-view/network/alerts).
Bumps dompurify from 1.0.8 to 2.0.3.
Release notes
Sourced from dompurify's releases.
Commits
d16ba74
Fixed Tests for Chrome 22cf6eade
Fixed a typo1882b8c
Adjusted some more tests for Safari 8 and MSIE10db5e71d
Adjusted more tests for Safari 82bcb446
Adjusted the tests to reflect the new "no SVG for Safari 8" situation59dbf8e
Trying to target Safari 8 in yet a different way3b31f82
Cahned Safari 8 XSS fix again to be more accurate27a3e6a
Used instanceof instead of typeof, duh01984d1
Made the Safari 8 XSS fix be more accurate6ff479b
Made the Safari 8 check be more accurateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/atom/settings-view/network/alerts).