Update dependency dompurify to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
dompurify	^2.0.11 → ^3.2.4

GitHub Vulnerability Alerts

CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS).

---

Release Notes

cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

v3.2.3: DOMPurify 3.2.3

Compare Source

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

v3.2.2: DOMPurify 3.2.2

Compare Source

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

v3.2.1: DOMPurify 3.2.1

Compare Source

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

v3.2.0: DOMPurify 3.2.0

Compare Source

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

v3.1.7: DOMPurify 3.1.7

Compare Source

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

v3.1.6: DOMPurify 3.1.6

Compare Source

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
• Updated several development dependencies

v3.1.5: DOMPurify 3.1.5

Compare Source

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v3.1.4: DOMPurify 3.1.4

Compare Source

• Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
• Added several new popover attributes to allow-list, thanks @​Gigabyte5671
• Fixed the tests and adjusted the test runner to cover all branches

v3.1.3: DOMPurify 3.1.3

Compare Source

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Added better handling and readability of the nodeType property, thanks @​ssi02014
• Fixed some smaller issues in README and other documentation

v3.1.2: DOMPurify 3.1.2

Compare Source

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

v3.1.1: DOMPurify 3.1.1

Compare Source

• Fixed an mXSS sanitiser bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v3.1.0: DOMPurify 3.1.0

Compare Source

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated README to warn about happy-dom not being safe for use with DOMPurify yet
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

v3.0.11: DOMPurify 3.0.11

Compare Source

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v3.0.10: DOMPurify 3.0.10

Compare Source

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser
• Bumped up some build and test dependencies

v3.0.9: DOMPurify 3.0.9

Compare Source

• Fixed a problem with proper detection of Custom Elements, thanks @​kevin-mizu
• Refactored the hasOwnProperty logic, thanks @​ssi02014
• Removed a superfluous console.warn making HappyDom happier, thanks @​HugoPoi
• Modernized some of the demo hooks for better looks, thanks @​Steb95

v3.0.8: DOMPurify 3.0.8

Compare Source

• Fixed errors caused by conditional exports, thanks @​ssi02014
• Fixed a type error when working with custom element config, thanks @​cpmotion

v3.0.7: DOMPurify 3.0.7

Compare Source

• Added better protection against CSPP attacks, thanks @​kevin-mizu
• Updated browser versions for automated tests
• Updated Node versions for automated tests
• Refactored code base, thanks @​ssi02014
• Refactored build system & deployment, thanks @​ssi02014

v3.0.6: DOMPurify 3.0.6

Compare Source

• Refactored the core code-base and several utilities, thanks @​ssi02014
• Updated and fixed several sections of the README, thanks @​ssi02014
• Updated several outdated build and test dependencies

v3.0.5: DOMPurify 3.0.5

Compare Source

• Fixed a licensing issue spotted and reported by @​george-thomas-hill
• Updated several build and test dependencies

v3.0.4: DOMPurify 3.0.4

Compare Source

• Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN
• Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @​masatokinugawa

v3.0.3: DOMPurify 3.0.3

Compare Source

• Added new TRUSTED_TYPES_POLICY configuration option, thanks @​dejang
• Added feDropShadow to the SVG filter allow-list, thanks @​SelfMadeSystem

v3.0.2: DOMPurify 3.0.2

Compare Source

• Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @​mukilane
• Added mprescripts tag to allowed MathML elements, thanks @​duyhai94
• Added SMS URI scheme to allowed URI schemes, tanks @​Kiwka
• Updated supported browser versions for nicer code and smaller size, thanks @​buzinas

v3.0.1: DOMPurify 3.0.1

Compare Source

• Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v3.0.0: DOMPurify 3.0.0

Compare Source

• Removed all code that is for MSIE-only
• Removed all tests that are for MSIE-only
• Modified documentation to reflect new state of MSIE support
• Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
• Added better support for shadowrootmode, thanks @​mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

v2.5.8: DOMPurify 2.5.8

Compare Source

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

v2.5.7: DOMPurify 2.5.7

Compare Source

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

v2.5.6: DOMPurify 2.5.6

Compare Source

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Updated several development dependencies

v2.5.5: DOMPurify 2.5.5

Compare Source

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v2.5.4: DOMPurify 2.5.4

Compare Source

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

v2.5.3: DOMPurify 2.5.3

Compare Source

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

v2.5.2: DOMPurify 2.5.2

Compare Source

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

v2.5.1: DOMPurify 2.5.1

Compare Source

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v2.5.0: DOMPurify 2.5.0

Compare Source

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

v2.4.9: DOMPurify 2.4.9

Compare Source

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v2.4.8: DOMPurify 2.4.8

Compare Source

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

v2.4.7: DOMPurify 2.4.7

Compare Source

• Fixed a licensing issue spotted and reported by @​george-thomas-hill

v2.4.6: DOMPurify 2.4.6

Compare Source

• Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN

v2.4.5: DOMPurify 2.4.5

Compare Source

• Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v2.4.4: DOMPurify 2.4.4

Compare Source

• Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
• Added better support for shadowrootmode, thanks @​mfreed7

v2.4.3: DOMPurify 2.4.3

Compare Source

• Final release that is compatible with MSIE10 & MSIE 11

v2.4.2: DOMPurify 2.4.2

Compare Source

• Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @​tosmolka
• Fixed a Prototype Pollution issue discovered and reported by @​kevin-mizu

v2.4.1: DOMPurify 2.4.1

Compare Source

• Added new config option ALLOWED_NAMESPACES for better XML handling, thanks @​kevin-deyoungster @​tosmolka
• Added better detection of template literals when SAFE_FOR_TEMPLATES is true
• Fixed an exception caused by DOM clobbering, thanks @​masatokinugawa
• Bumped some dependencies, thanks @​marcpenya-tf

v2.4.0: DOMPurify 2.4.0

Compare Source

• Removed bundled types again as they caused too much trouble

v2.3.12: DOMPurify 2.3.12

Compare Source

• Fixed an issue in 2.3.11 causing errors w. TypeScript, see #​712, thanks @​Mirco469, @​brentkeller, @​aryanisml

v2.3.11: DOMPurify 2.3.11

Compare Source

• Added generated type definitions for better compatibility
• Added SANITIZE_NAMED_PROPS config option, thanks @​SoheilKhodayari
• Updated README and config documentation, thanks @​0xedward
• Updated test suite with newer Node versions

v2.3.10: DOMPurify 2.3.10

Compare Source

• Added support for sanitization of attributes requiring Trusted Types, thanks @​tosmolka

v2.3.9: DOMPurify 2.3.9

Compare Source

• Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @​tosmolka
• Bumped some dependencies, thanks @​is2ei
• Included github-actions in the dependabot config, thanks @​nathannaveen

v2.3.8: DOMPurify 2.3.8

Compare Source

• Cleaned up a minor issue with the 2.3.7 release, thanks @​johnbirds

No other changes compared to 2.3.7 release, which entail:

• Fixes around a bug in Safari, thanks @​sybrew
• Slightly improved performance, thanks @​tiny-ben-tran
• Lots of chores, bumps and typo fixes, thanks @​is2ei
• Removed unnecessary string trimming, thanks @​christopherehlen

v2.3.7

Compare Source

v2.3.6: DOMPurify 2.3.6

Compare Source

• Added an option to allow HTML5 doctypes, thanks @​tosmolka
• Bumped several dependencies, thanks @​is2ei
• Updated documentation to cover recently added flags, thanks @​is2ei

v2.3.5: DOMPurify 2.3.5

Compare Source

• Performed several chores and cleanups, thanks @​is2ei
• Fixed a bug when working with Trusted Types, thanks @​tosmolka
• Fixed a bug with weird behavior on insecure nodes in IN_PLACE mode, thanks @​tosmolka
• Added more SVG attributes to allow-list, thanks @​rzhade3

v2.3.4: DOMPurify 2.3.4

Compare Source

• Added support for Custom Elements, thanks @​franktopel
• Added new config settings to control Custom Element sanitizing, thanks @​franktopel
• Added faster clobber checks, thanks @​GrantGryczan
• Allow-listed SVG feImage elements, thanks @​ydaniv
• Updated test suite
• Update supported Node versions
• Updated README

v2.3.3: DOMPurify 2.3.3

Compare Source

• Fixed a bug in the handing of PARSER_MEDIA_TYPE spotted by @​securitum-mb
• Adjusted the tests for MSIE to make sure the results are as expected now

v2.3.2: DOMPurify 2.3.2

Compare Source

• Added new config option PARSER_MEDIA_TYPE, thanks @​tosmolka

v2.3.1: DOMPurify 2.3.1

Compare Source

• Added code to make FORBID_CONTENTS setting configurable
• Added role to URI-safe attributes
• Added more paranoid handling for template elements

v2.3.0: DOMPurify 2.3.0

Compare Source

• Added better handling of document creation on Firefox
• Added better handling of version numbers in license file
• Added two new browser versions to test suite config
• Fixed a bug with handling of custom data attributes

v2.2.9: DOMPurify 2.2.9

Compare Source

• Fixed some minor issues related to the NAMESPACE config
• Fixed some minor issues relating to empty input
• Fixed some minor issues relating to handling of invalid XML

v2.2.8: DOMPurify 2.2.8

Compare Source

• Added NAMESPACE config option, thanks @​NateScarlet
• Added better fallback for older browsers & PhantomJS, thanks @​albanx
• Extended allow-list for SVG attributes a bit

v2.2.7: DOMPurify 2.2.7

Compare Source

• Fixed handling of unsupported browsers, i.e. Safari 9 and older
• Fixed various minor bugs and typos in README and examples
• Added better handling of potentially harmful "is" attributes
• Added better handling of lookupGetter functionality

v2.2.6: DOMPurify 2.2.6

Compare Source

• Added new mXSS prevention logic created by SecurityMB

v2.2.5

Compare Source

v2.2.4: DOMPurify 2.2.4

Compare Source

• Fixed a new MathML-based bypass submitted by PewGrand
• Fixed a new SVG-related bypass submitted by SecurityMB
• Updated NodeJS CI to Node 14.x and Node 15.x
• Cleaned up _forceRemove logic for better reliability

v2.2.3: DOMPurify 2.2.3

Compare Source

• Fixed an mXSS issue reported by PewGrand
• Fixed a minor issue with the license header
• Fixed a problem with overly-eager CSS stripping
• Updated the README and removed an XSS warning

v2.2.2: DOMPurify 2.2.2

Compare Source

• Fixed an mXSS bypass dropped on us publicly via #​482
• Fixed an mXSS variation that was reported privately short after
• Added dialog to permitted elements list
• Fixed a small typo in the README

v2.2.1

Compare Source

v2.2.0: DOMPurify 2.2.0

Compare Source

• Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @​neilj and @​mfreed7
• Changed RETURN_DOM_IMPORT default to true to address said possible XSS
• Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
• Fixed the tests to properly address the new default

v2.1.1: DOMPurify 2.1.1

Compare Source

• Removed some code targeting old Safari versions
• Removed some code targeting older MS Edge versions
• Re-added some code targeting older Chrome versions, thanks @​terjanq
• Added new tests and removed unused SAFE_FOR_JQUERY test cases
• Added Node 14.x to existing test coverage

v2.1.0: DOMPurify 2.1.0

Compare Source

• Fixed several possible mXSS patterns, thanks @​hackvertor
• Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
• Removed several now useless mXSS checks
• Updated the mXSS check for elements
• Updated test cases to cover new sanitization strategy
• Updated test website to use newer jQuery
• Updated array of tested browsers and removed legacy browsers
• Added "auto convert" checkbox to test website, thanks @​hackvertor

v2.0.17: DOMPurify 2.0.17

Compare Source

• Fixed another bypass causing mXSS by using MathML

v2.0.16: DOMPurify 2.0.16

Compare Source

• Fixed an mXSS-based bypass caused by nested forms inside MathML
• Fixed a security error thrown on older Chrome on Android versions, see #​470

Credits for the bypass go to Michał Bentkowski (@​securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

v2.0.15: DOMPurify 2.0.15

Compare Source

• Added a renovated test suite, thanks @​peernohell
• Fixed some minor linter warnings

v2.0.14: DOMPurify 2.0.14

Compare Source

• Fixed a problem with the documentMode default value

v2.0.13

Compare Source

v2.0.12: DOMPurify 2.0.12

Compare Source

• Fixed a minor bug when working with Trusted Types
• Fixed some typos in a demo file
• Fixed some wordings in code and docs

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.