[Snyk] Upgrade dompurify from 2.0.7 to 2.2.2

[snyk-bot]

Snyk has created this PR to upgrade dompurify from 2.0.7 to 2.2.2.

✨ Snyk has automatically assigned this pull request, set who gets assigned.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 15 versions ahead of your current version.
• The recommended version was released 23 days ago, on 2020-11-02.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1035544	539/1000 Why? Has a fix available, CVSS 6.5	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-DOMPURIFY-1016634	539/1000 Why? Has a fix available, CVSS 6.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: dompurify

• 2.2.2 - 2020-11-02
  
  • Fixed an mXSS bypass dropped on us publicly via #482
  • Fixed an mXSS variation that was reported privately short after
  • Added dialog to permitted elements list
  • Fixed a small typo in the README
• 2.2.1 - 2020-11-02
• 2.2.0 - 2020-10-21
  
  • Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
  • Changed RETURN_DOM_IMPORT default to true to address said possible XSS
  • Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
  • Fixed the tests to properly address the new default
• 2.1.1 - 2020-09-25
  
  • Removed some code targeting old Safari versions
  • Removed some code targeting older MS Edge versions
  • Re-added some code targeting older Chrome versions, thanks @terjanq
  • Added new tests and removed unused SAFE_FOR_JQUERY test cases
  • Added Node 14.x to existing test coverage
• 2.1.0 - 2020-09-23
  
  • Fixed several possible mXSS patterns, thanks @hackvertor
  • Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
  • Removed several now useless mXSS checks
  • Updated the mXSS check for elements
  • Updated test cases to cover new sanitization strategy
  • Updated test website to use newer jQuery
  • Updated array of tested browsers and removed legacy browsers
  • Added "auto convert" checkbox to test website, thanks @hackvertor
• 2.0.17 - 2020-09-20
  
  • Fixed another bypass causing mXSS by using MathML
• 2.0.16 - 2020-09-18
  
  • Fixed an mXSS-based bypass caused by nested forms inside MathML
  • Fixed a security error thrown on older Chrome on Android versions, see #470

  Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

• 2.0.15 - 2020-09-03
  
  • Added a renovated test suite, thanks @peernohell
  • Fixed some minor linter warnings
• 2.0.14 - 2020-08-27
  
  • Fixed a problem with the documentMode default value
• 2.0.13 - 2020-08-27
  

  chore: preparing 2.0.13 release

• 2.0.12 - 2020-06-24
  
  • Fixed a minor bug when working with Trusted Types
  • Fixed some typos in a demo file
  • Fixed some wordings in code and docs
• 2.0.11 - 2020-05-06
• 2.0.10 - 2020-04-23
• 2.0.9 - 2020-04-22
• 2.0.8 - 2020-02-03
• 2.0.7 - 2019-10-21

from dompurify GitHub release notes

Commit messages

Package name: dompurify

• 7923e10 chore: Preparing 2.2.2 release
• 7719c5b test: Added test cases for reported bypasses
• e43de71 fix: squished another variation of the mXSS
• 0771f47 chore: Preparing 2.2.1 release
• ee33fae fix: Fixed a mXSS bypass reported in Escape 2 inline literal HTML tags ampproject/amphtml#482
• e95b0de see CSS Selector restrictions: why? ampproject/amphtml#480
• 83b7acb See Small fix to testing example in create page. ampproject/amphtml#479
• 0e31dce chore: preparing 2.2.0 release
• 307c7d0 test: added tests to cover new RETURN_DOM_IMPORT default being true
• 5aab0bb fix: fixed a typo in the config option logic for DOM_RETURN_IMPORT
• 8f15cd1 fix: changed RETURN_DOM_IMPORT flag to true in config block
• 1aecfe7 fix: xExperimentally set RETURN_DOM_IMPORT to true by default
• 02ae0af Merge pull request The simplest file would omit the branding ⚡ character ampproject/amphtml#474 from MatmaRex/patch-1
• 89a0539 Remove mention of the removed SAFE_FOR_JQUERY flag in README
• 461589a chore: prepared 2.1.1 release
• 32b3241 chore: preparing 2.1.1 release
• daf4c05 docs: updated acknowledgements on README
• b552659 fix: re-enabled the mXSS check for old Chrome at the right place
• aec12c4 fix: Re-added an mXSS check for old Chrome
• 4586294 test: removed Node 15 again from test matrix
• 495c948 test: Added Node 14.x and 15.x to test jobs
• 075e58a fix: changed short comment to long to avoid micro-mutations
• 0228425 test: stripped SAFE_FOR_JQUERY from several tests
• 4eb5d93 test: removed a Safari 8 specific test

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs