Skip to content

Commit c6c0d56

Browse files
authored
CRW-10794: Fix CVE-2026-41240 by updating DOMPurify to patched version (che-incubator#702)
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
1 parent 7ba8e33 commit c6c0d56

7 files changed

Lines changed: 216 additions & 94 deletions

File tree

code/extensions/markdown-language-features/package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

code/extensions/markdown-language-features/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -767,7 +767,7 @@
767767
},
768768
"dependencies": {
769769
"@vscode/extension-telemetry": "^0.9.8",
770-
"dompurify": "^3.2.7",
770+
"dompurify": "^3.4.2",
771771
"highlight.js": "^11.8.0",
772772
"markdown-it": "^12.3.2",
773773
"markdown-it-front-matter": "^0.2.4",

code/extensions/mermaid-chat-features/package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

code/extensions/mermaid-chat-features/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@
8282
"@types/node": "^22.18.10"
8383
},
8484
"dependencies": {
85-
"dompurify": "^3.2.7",
85+
"dompurify": "^3.4.2",
8686
"mermaid": "^11.11.0"
8787
}
8888
}

code/src/vs/base/browser/dompurify/cgmanifest.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,12 @@
66
"git": {
77
"name": "dompurify",
88
"repositoryUrl": "https://github.com/cure53/DOMPurify",
9-
"commitHash": "eaa0bdb26a1d0164af587d9059b98269008faece",
10-
"tag": "3.2.7"
9+
"commitHash": "6f67fd396a7b8c64294343999fe607ca1f5299c0",
10+
"tag": "3.4.2"
1111
}
1212
},
1313
"license": "Apache 2.0",
14-
"version": "3.2.7"
14+
"version": "3.4.2"
1515
}
1616
],
1717
"version": 1

code/src/vs/base/browser/dompurify/dompurify.d.ts

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/*! @license DOMPurify 3.2.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.7/LICENSE */
1+
/*! @license DOMPurify 3.4.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.2/LICENSE */
22

33
import type { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted-types/lib/index.d.ts';
44

@@ -8,16 +8,20 @@ import type { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted
88
interface Config {
99
/**
1010
* Extend the existing array of allowed attributes.
11+
* Can be an array of attribute names, or a function that receives
12+
* the attribute name and tag name to determine if the attribute is allowed.
1113
*/
12-
ADD_ATTR?: string[] | undefined;
14+
ADD_ATTR?: string[] | ((attributeName: string, tagName: string) => boolean) | undefined;
1315
/**
1416
* Extend the existing array of elements that can use Data URIs.
1517
*/
1618
ADD_DATA_URI_TAGS?: string[] | undefined;
1719
/**
1820
* Extend the existing array of allowed tags.
21+
* Can be an array of tag names, or a function that receives
22+
* the tag name to determine if the tag is allowed.
1923
*/
20-
ADD_TAGS?: string[] | undefined;
24+
ADD_TAGS?: string[] | ((tagName: string) => boolean) | undefined;
2125
/**
2226
* Extend the existing array of elements that are safe for URI-like values (be careful, XSS risk).
2327
*/
@@ -90,6 +94,10 @@ interface Config {
9094
* Add child elements to be removed when their parent is removed.
9195
*/
9296
FORBID_CONTENTS?: string[] | undefined;
97+
/**
98+
* Extend the existing or default array of forbidden content elements.
99+
*/
100+
ADD_FORBID_CONTENTS?: string[] | undefined;
93101
/**
94102
* Add elements to block-list.
95103
*/
@@ -195,7 +203,7 @@ interface UseProfilesConfig {
195203
*/
196204
svg?: boolean | undefined;
197205
/**
198-
* Allow all save SVG Filters.
206+
* Allow all safe SVG Filters.
199207
*/
200208
svgFilters?: boolean | undefined;
201209
/**

0 commit comments

Comments
 (0)