[Snyk] Upgrade dompurify from 2.2.0 to 2.2.6

[Jessi1983]

Snyk has created this PR to upgrade dompurify from 2.2.0 to 2.2.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 6 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2020-12-18.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1035544	539/1000 Why? Has a fix available, CVSS 6.5	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 2.2.6 - 2020-12-18
  
  • Added new mXSS prevention logic created by SecurityMB
• 2.2.5 - 2020-12-18
• 2.2.4 - 2020-12-15
  
  • Fixed a new MathML-based bypass submitted by PewGrand
  • Fixed a new SVG-related bypass submitted by SecurityMB
  • Updated NodeJS CI to Node 14.x and Node 15.x
  • Cleaned up _forceRemove logic for better reliability
• 2.2.3 - 2020-12-07
  
  • Fixed an mXSS issue reported by PewGrand
  • Fixed a minor issue with the license header
  • Fixed a problem with overly-eager CSS stripping
  • Updated the README and removed an XSS warning
• 2.2.2 - 2020-11-02
  
  • Fixed an mXSS bypass dropped on us publicly via #482
  • Fixed an mXSS variation that was reported privately short after
  • Added dialog to permitted elements list
  • Fixed a small typo in the README
• 2.2.1 - 2020-11-02
• 2.2.0 - 2020-10-21
  
  • Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @ neilj and @ mfreed7
  • Changed RETURN_DOM_IMPORT default to true to address said possible XSS
  • Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
  • Fixed the tests to properly address the new default

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• b11cb72 chore: Preparing 2.2.6 release after failed 2.2.5 attempt /2
• 395cc83 chore: Preparing 2.2.6 release after failed 2.2.5 attempt
• 8a1c887 chore: Preparing 2.2.5 release
• 77e740e Merge pull request Make the changes from doc fix persistant nextcloud/server#496 from securityMB/main
• 9dd47cb Create a polyfill for __lookupGetter__ to make IE10 happy
• 8e29990 fix: Made use of proper helper method to get parentNode
• 7e3a705 fix: Fixed an issue with parent node mapping in MSIE11
• d1cf8c6 test: Fixed additional Edge 17 and MSIE11 tests
• 1446372 test: Fixed a bunch of Edge 17 and MSIE11 tests
• 7d9bc6a fix: Removed usage of has()
• 340ca09 fix: Remove use of new Set()
• c477321 Revert "test: Fixed tests for MSIE11"
• aae5766 Revert "test: Fixed additional tests for Edge 17 and MSIE 11"
• b0398fd Revert "test: Customized additional tests for MSIE11"
• bf62d7c test: Customized additional tests for MSIE11
• abc92e5 test: Fixed additional tests for Edge 17 and MSIE 11
• b242859 test: Fixed tests for MSIE11
• 9ee3d95 Merge pull request [stable10] move closing div to the right place nextcloud/server#495 from securityMB/main
• 808cab3 Merge branch 'main' of https://github.com/cure53/DOMPurify
• e8c8e89 Move anti-clobber to purify.js
• 21baa58 Another fix in anti-clobber: getChildNodes -> childNodes
• 6b2b871 Fix a terrible mistake in anti-clobber
• 0d42de0 Experiment with anticlobber approach
• ccc2d31 Add a bunch of tests to check namespace enforcement

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs