CRW-10794: Fix CVE-2026-41240 by updating DOMPurify to patched version (che-incubator#702)

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>

Author: sbouchet

code/extensions/markdown-language-features/package-lock.json

@@ -767,7 +767,7 @@
   },
   "dependencies": {
     "@vscode/extension-telemetry": "^0.9.8",
-    "dompurify": "^3.2.7",
+    "dompurify": "^3.4.2",
     "highlight.js": "^11.8.0",
     "markdown-it": "^12.3.2",
     "markdown-it-front-matter": "^0.2.4",

code/extensions/markdown-language-features/package.json

@@ -82,7 +82,7 @@
     "@types/node": "^22.18.10"
   },
   "dependencies": {
-    "dompurify": "^3.2.7",
+    "dompurify": "^3.4.2",
     "mermaid": "^11.11.0"
   }
 }

code/extensions/mermaid-chat-features/package-lock.json

@@ -6,12 +6,12 @@
 				"git": {
 					"name": "dompurify",
 					"repositoryUrl": "https://github.com/cure53/DOMPurify",
-					"commitHash": "eaa0bdb26a1d0164af587d9059b98269008faece",
-					"tag": "3.2.7"
+					"commitHash": "6f67fd396a7b8c64294343999fe607ca1f5299c0",
+					"tag": "3.4.2"
 				}
 			},
 			"license": "Apache 2.0",
-			"version": "3.2.7"
+			"version": "3.4.2"
 		}
 	],
 	"version": 1

code/extensions/mermaid-chat-features/package.json

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.2.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.7/LICENSE */
+/*! @license DOMPurify 3.4.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.2/LICENSE */
 
 import type { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted-types/lib/index.d.ts';
 
@@ -8,16 +8,20 @@ import type { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted
 interface Config {
 	/**
 	 * Extend the existing array of allowed attributes.
+	 * Can be an array of attribute names, or a function that receives
+	 * the attribute name and tag name to determine if the attribute is allowed.
 	 */
-	ADD_ATTR?: string[] | undefined;
+	ADD_ATTR?: string[] | ((attributeName: string, tagName: string) => boolean) | undefined;
 	/**
 	 * Extend the existing array of elements that can use Data URIs.
 	 */
 	ADD_DATA_URI_TAGS?: string[] | undefined;
 	/**
 	 * Extend the existing array of allowed tags.
+	 * Can be an array of tag names, or a function that receives
+	 * the tag name to determine if the tag is allowed.
 	 */
-	ADD_TAGS?: string[] | undefined;
+	ADD_TAGS?: string[] | ((tagName: string) => boolean) | undefined;
 	/**
 	 * Extend the existing array of elements that are safe for URI-like values (be careful, XSS risk).
 	 */
@@ -90,6 +94,10 @@ interface Config {
 	 * Add child elements to be removed when their parent is removed.
 	 */
 	FORBID_CONTENTS?: string[] | undefined;
+	/**
+	 * Extend the existing or default array of forbidden content elements.
+	 */
+	ADD_FORBID_CONTENTS?: string[] | undefined;
 	/**
 	 * Add elements to block-list.
 	 */
@@ -195,7 +203,7 @@ interface UseProfilesConfig {
 	 */
 	svg?: boolean | undefined;
 	/**
-	 * Allow all save SVG Filters.
+	 * Allow all safe SVG Filters.
 	 */
 	svgFilters?: boolean | undefined;
 	/**