fix(deps): update dependency dompurify to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dompurify	^2.3.1 -> ^3.0.0

---

Release Notes

cure53/DOMPurify (dompurify)

v3.1.7: DOMPurify 3.1.7

Compare Source

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

v3.1.6: DOMPurify 3.1.6

Compare Source

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
• Updated several development dependencies

v3.1.5: DOMPurify 3.1.5

Compare Source

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v3.1.4: DOMPurify 3.1.4

Compare Source

• Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
• Added several new popover attributes to allow-list, thanks @​Gigabyte5671
• Fixed the tests and adjusted the test runner to cover all branches

v3.1.3: DOMPurify 3.1.3

Compare Source

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Added better handling and readability of the nodeType property, thanks @​ssi02014
• Fixed some smaller issues in README and other documentation

v3.1.2: DOMPurify 3.1.2

Compare Source

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

v3.1.1: DOMPurify 3.1.1

Compare Source

• Fixed an mXSS sanitiser bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v3.1.0: DOMPurify 3.1.0

Compare Source

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated README to warn about happy-dom not being safe for use with DOMPurify yet
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

v3.0.11: DOMPurify 3.0.11

Compare Source

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v3.0.10: DOMPurify 3.0.10

Compare Source

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser
• Bumped up some build and test dependencies

v3.0.9: DOMPurify 3.0.9

Compare Source

• Fixed a problem with proper detection of Custom Elements, thanks @​kevin-mizu
• Refactored the hasOwnProperty logic, thanks @​ssi02014
• Removed a superfluous console.warn making HappyDom happier, thanks @​HugoPoi
• Modernized some of the demo hooks for better looks, thanks @​Steb95

v3.0.8: DOMPurify 3.0.8

Compare Source

• Fixed errors caused by conditional exports, thanks @​ssi02014
• Fixed a type error when working with custom element config, thanks @​cpmotion

v3.0.7: DOMPurify 3.0.7

Compare Source

• Added better protection against CSPP attacks, thanks @​kevin-mizu
• Updated browser versions for automated tests
• Updated Node versions for automated tests

v3.0.6: DOMPurify 3.0.6

Compare Source

• Refactored the core code-base and several utilities, thanks @​ssi02014
• Updated and fixed several sections of the README, thanks @​ssi02014
• Updated several outdated build and test dependencies

v3.0.5: DOMPurify 3.0.5

Compare Source

• Fixed a licensing issue spotted and reported by @​george-thomas-hill
• Updated several build and test dependencies

v3.0.4: DOMPurify 3.0.4

Compare Source

• Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN
• Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @​masatokinugawa

v3.0.3: DOMPurify 3.0.3

Compare Source

• Added new TRUSTED_TYPES_POLICY configuration option, thanks @​dejang
• Added feDropShadow to the SVG filter allow-list, thanks @​SelfMadeSystem

v3.0.2: DOMPurify 3.0.2

Compare Source

• Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @​mukilane
• Added mprescripts tag to allowed MathML elements, thanks @​duyhai94
• Added SMS URI scheme to allowed URI schemes, tanks @​Kiwka
• Updated supported browser versions for nicer code and smaller size, thanks @​buzinas

v3.0.1: DOMPurify 3.0.1

Compare Source

• Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v3.0.0: DOMPurify 3.0.0

Compare Source

• Removed all code that is for MSIE-only
• Removed all tests that are for MSIE-only
• Modified documentation to reflect new state of MSIE support
• Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
• Added better support for shadowrootmode, thanks @​mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

v2.5.7: DOMPurify 2.5.7

Compare Source

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

---

Configuration

📅 Schedule: Branch creation - "before 11pm" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (1f729be) to head (d4e3c49).

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #240   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          109       109           
  Lines         1085      1085           
  Branches       164       165    +1     
=========================================
  Hits          1085      1085           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.