This PR contains the following updates:
Release Notes
cure53/DOMPurify (dompurify)
v3.4.11: DOMPurify 3.4.11
Compare Source
- Fixed an issue with a leaky config for hooks via
setConfig, thanks @trace37labs
- Bumped vulnerable development dependencies to arrive at plain 0 with
npm audit
- Updated the
osv-scanner suppression list as no vulnerable dependencies are left for now
- Updated up the linting tool-chain and removed now-redundant lint directives
- Updated the documentation is several spots, README, wiki, etc.
- Bumped several dependencies where possible
v3.4.10: DOMPurify 3.4.10
Compare Source
- Refactored codebase for clarity: extracted the public type declarations into
types.ts
- Decomposed the three largest sanitizer functions into focused helpers
- Removed duplicated defaults and dead branches, consolidated
SAFE_FOR_TEMPLATES scrubbing into single shared path
- Improved per-node performance by hoisting the mXSS probe regexes and testing
textContent before innerHTML
- Added a deterministic micro-benchmark harness (
npm run bench) with a --compare mode
- Reduced CI cost by running the full three-engine browser suite once per PR
- Refreshed the
demos/ folder so every demo runs again, and added a SVG-via-<img> demo
- Documented the bench and
test:happydom scripts in the README
- Completed the Attack Classes & Bypass History wiki page
- Bumped several dependencies where possible
v3.4.9: DOMPurify 3.4.9
Compare Source
- Further improved the handling of Trusted Types config options, thanks @offset
- Further improved the handling of
IN_PLACE sanitization, thanks @mozfreddyb
- Added more test coverage for
IN_PLACE and Trusted Types related usage
- Bumped several dependencies where possible
- Updated README and wiki with more accurate documentation & attack samples
v3.4.8: DOMPurify 3.4.8
Compare Source
- Cleaned up the repository root, renamed some and removed unneeded files
- Fixed an issue with handling of Trusted Types policies, thanks @fulstadev
- Fixed the node iterator for better template scrubbing, thanks @IamLeandrooooo
- Included formerly missing LICENSE-MPL in published npm package, thanks @asamuzaK
- Bumped several dependencies where possible
v3.4.7: DOMPurify 3.4.7
Compare Source
- Hardened the handling of Shadow Roots when using
IN_PLACE, thanks @GameZoneHacker
- Removed a problem leading to permanent hook pollution, thanks @offset
- Refactored the test suite and expanded test coverage significantly
v3.4.6: DOMPurify 3.4.6
Compare Source
- Fixed several issues with DOM Clobbering in
IN_PLACE mode, thanks @offset & @Bankde
- Hardened the checks for cross-realm
IN_PLACE and Shadow DOM sanitization, thanks @offset & @Bankde
- Added more test coverage for
IN_PLACE and general DOM Clobbering attacks
- Bumped several dependencies where possible
v3.4.5: DOMPurify 3.4.5
Compare Source
- Fixed a bypass caused by the new HTML element
selectedcontent added in 3.4.4, thanks @KabirAcharya
Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.
v3.4.4: DOMPurify 3.4.4
Compare Source
- Added the
selectedcontent element to default allow-list, thanks @lukewarlow
- Added the
command and commandfor attributes to default allowed-list, thanks @lukewarlow
- Added better template scrubbing for
IN_PLACE operations, thanks @DEMON1A
- Added stronger checks for cross-realm windows, thanks @DEMON1A & @fg0x0
- Updated demo website and made sure it uses the latest from main
- Updated existing workflows, fuzzer, dependabot, etc., added more tests
- Bumped several dependencies where possible
🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨
v3.4.3: DOMPurify 3.4.3
Compare Source
- Fixed an issue with handling of nested Shadow DOM trees, thanks @fishjojo1
- Fixed the template regexes to be more robust against ReDoS attacks, thanks @aleung27
- Updated the node iteration code to catch more Shadow DOM related issues
- Updated Playwright and added Node 26 to test matrix
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
v3.4.2: DOMPurify 3.4.2
Compare Source
- Fixed an issue with URI validation on attributes allowed via
ADD_ATTR callback, thanks @nelstrom
- Fixed an issue with source maps referring to non-existing files, thanks @cmdcolin
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
v3.4.1: DOMPurify 3.4.1
Compare Source
- Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (
font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
- Fixed a case-sensitivity gap in the
annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
- Fixed
SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
- Fixed the
IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
- Removed a duplicate
slot entry from the default HTML attribute allow-list
- Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for
SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
- Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (
SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
- Extended CodeQL analysis to run on
3.x and 2.x maintenance branches
Configuration
📅 Schedule: (in timezone UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [dompurify](https://github.com/cure53/DOMPurify) | [`3.4.0` → `3.4.11`](https://renovatebot.com/diffs/npm/dompurify/3.4.0/3.4.11) |  |  |
---
### Release Notes
<details>
<summary>cure53/DOMPurify (dompurify)</summary>
### [`v3.4.11`](https://github.com/cure53/DOMPurify/releases/tag/3.4.11): DOMPurify 3.4.11
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.10...3.4.11)
- Fixed an issue with a leaky config for hooks via `setConfig`, thanks [@​trace37labs](https://github.com/trace37labs)
- Bumped vulnerable development dependencies to arrive at plain 0 with `npm audit`
- Updated the `osv-scanner` suppression list as no vulnerable dependencies are left for now
- Updated up the linting tool-chain and removed now-redundant lint directives
- Updated the documentation is several spots, README, wiki, etc.
- Bumped several dependencies where possible
### [`v3.4.10`](https://github.com/cure53/DOMPurify/releases/tag/3.4.10): DOMPurify 3.4.10
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.9...3.4.10)
- Refactored codebase for clarity: extracted the public type declarations into `types.ts`
- Decomposed the three largest sanitizer functions into focused helpers
- Removed duplicated defaults and dead branches, consolidated `SAFE_FOR_TEMPLATES` scrubbing into single shared path
- Improved per-node performance by hoisting the mXSS probe regexes and testing `textContent` before `innerHTML`
- Added a deterministic micro-benchmark harness (`npm run bench`) with a `--compare` mode
- Reduced CI cost by running the full three-engine browser suite once per PR
- Refreshed the `demos/` folder so every demo runs again, and added a SVG-via-`<img>` demo
- Documented the bench and `test:happydom` scripts in the README
- Completed the Attack Classes & Bypass History wiki page
- Bumped several dependencies where possible
### [`v3.4.9`](https://github.com/cure53/DOMPurify/releases/tag/3.4.9): DOMPurify 3.4.9
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.8...3.4.9)
- Further improved the handling of Trusted Types config options, thanks [@​offset](https://github.com/offset)
- Further improved the handling of `IN_PLACE` sanitization, thanks [@​mozfreddyb](https://github.com/mozfreddyb)
- Added more test coverage for `IN_PLACE` and Trusted Types related usage
- Bumped several dependencies where possible
- Updated README and wiki with more accurate documentation & attack samples
### [`v3.4.8`](https://github.com/cure53/DOMPurify/releases/tag/3.4.8): DOMPurify 3.4.8
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.7...3.4.8)
- Cleaned up the repository root, renamed some and removed unneeded files
- Fixed an issue with handling of Trusted Types policies, thanks [@​fulstadev](https://github.com/fulstadev)
- Fixed the node iterator for better template scrubbing, thanks [@​IamLeandrooooo](https://github.com/IamLeandrooooo)
- Included formerly missing LICENSE-MPL in published npm package, thanks [@​asamuzaK](https://github.com/asamuzaK)
- Bumped several dependencies where possible
### [`v3.4.7`](https://github.com/cure53/DOMPurify/releases/tag/3.4.7): DOMPurify 3.4.7
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.6...3.4.7)
- Hardened the handling of Shadow Roots when using `IN_PLACE`, thanks [@​GameZoneHacker](https://github.com/GameZoneHacker)
- Removed a problem leading to permanent hook pollution, thanks [@​offset](https://github.com/offset)
- Refactored the test suite and expanded test coverage significantly
### [`v3.4.6`](https://github.com/cure53/DOMPurify/releases/tag/3.4.6): DOMPurify 3.4.6
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.5...3.4.6)
- Fixed several issues with DOM Clobbering in `IN_PLACE` mode, thanks [@​offset](https://github.com/offset) & [@​Bankde](https://github.com/Bankde)
- Hardened the checks for cross-realm `IN_PLACE` and Shadow DOM sanitization, thanks [@​offset](https://github.com/offset) & [@​Bankde](https://github.com/Bankde)
- Added more test coverage for `IN_PLACE` and general DOM Clobbering attacks
- Bumped several dependencies where possible
### [`v3.4.5`](https://github.com/cure53/DOMPurify/releases/tag/3.4.5): DOMPurify 3.4.5
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.4...3.4.5)
- Fixed a bypass caused by the new HTML element `selectedcontent` added in 3.4.4, thanks [@​KabirAcharya](https://github.com/KabirAcharya)
**Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.**
### [`v3.4.4`](https://github.com/cure53/DOMPurify/releases/tag/3.4.4): DOMPurify 3.4.4
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.3...3.4.4)
- Added the `selectedcontent` element to default allow-list, thanks [@​lukewarlow](https://github.com/lukewarlow)
- Added the `command` and `commandfor` attributes to default allowed-list, thanks [@​lukewarlow](https://github.com/lukewarlow)
- Added better template scrubbing for `IN_PLACE` operations, thanks [@​DEMON1A](https://github.com/DEMON1A)
- Added stronger checks for cross-realm windows, thanks [@​DEMON1A](https://github.com/DEMON1A) & [@​fg0x0](https://github.com/fg0x0)
- Updated demo website and made sure it uses the latest from main
- Updated existing workflows, fuzzer, dependabot, etc., added more tests
- Bumped several dependencies where possible
🚨 **This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead** 🚨
### [`v3.4.3`](https://github.com/cure53/DOMPurify/releases/tag/3.4.3): DOMPurify 3.4.3
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.2...3.4.3)
- Fixed an issue with handling of nested Shadow DOM trees, thanks [@​fishjojo1](https://github.com/fishjojo1)
- Fixed the template regexes to be more robust against ReDoS attacks, thanks [@​aleung27](https://github.com/aleung27)
- Updated the node iteration code to catch more Shadow DOM related issues
- Updated Playwright and added Node 26 to test matrix
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
### [`v3.4.2`](https://github.com/cure53/DOMPurify/releases/tag/3.4.2): DOMPurify 3.4.2
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.1...3.4.2)
- Fixed an issue with URI validation on attributes allowed via `ADD_ATTR` callback, thanks [@​nelstrom](https://github.com/nelstrom)
- Fixed an issue with source maps referring to non-existing files, thanks [@​cmdcolin](https://github.com/cmdcolin)
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
### [`v3.4.1`](https://github.com/cure53/DOMPurify/releases/tag/3.4.1): DOMPurify 3.4.1
[Compare Source](https://github.com/cure53/DOMPurify/compare/3.4.0...3.4.1)
- Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (`font-face`, `color-profile`, `missing-glyph`, `font-face-src`, `font-face-uri`, `font-face-format`, `font-face-name`) under permissive `CUSTOM_ELEMENT_HANDLING`
- Fixed a case-sensitivity gap in the `annotation-xml` check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
- Fixed `SANITIZE_NAMED_PROPS` repeatedly prefixing already-prefixed `id` and `name` values on subsequent sanitization
- Fixed the `IN_PLACE` root-node check to explicitly guard against non-string `nodeName` (DOM-clobbering robustness)
- Removed a duplicate `slot` entry from the default HTML attribute allow-list
- Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for `SANITIZE_NAMED_PROPS`, and a negative-control assertion ensuring the invariants actually fire
- Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (`SAFE_FOR_TEMPLATES` greedy scrub, hook-added attribute handling)
- Extended CodeQL analysis to run on `3.x` and `2.x` maintenance branches
</details>
---
### Configuration
📅 **Schedule**: (in timezone UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjI1NC4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY2llcyJdfQ==-->