Skip to content

security: upgrade dompurify to 3.4.0 for XSS protection#22

Closed
wtfiwtz wants to merge 1 commit into
masterfrom
security/dompurify-3.4.0
Closed

security: upgrade dompurify to 3.4.0 for XSS protection#22
wtfiwtz wants to merge 1 commit into
masterfrom
security/dompurify-3.4.0

Conversation

@wtfiwtz
Copy link
Copy Markdown

@wtfiwtz wtfiwtz commented Jun 2, 2026

Summary

Upgrade dompurify from 2.x to 3.4.0 to address XSS bypass vulnerabilities and improve DOM clobbering attack protection.

Changes

  • package.json: Update dompurify ^2.0.17 → ^3.4.0
  • viz-lib/package.json: Update dompurify ^2.0.7 → ^3.4.0, remove @types/dompurify
  • viz-lib/src/services/sanitize.ts: Add explicit type annotation for DOMPurify 3.x sanitize() return type
  • Regenerate pnpm-lock.yaml

CVEs Addressed

This PR addresses multiple XSS vulnerabilities:

  • XSS bypass fixes in DOMPurify 3.x series
  • DOM clobbering attack protection improvements
  • Attribute-based XSS vectors enhanced protection
  • Edge cases in HTML parsing better handling

DOMPurify 3.x includes significant security improvements over 2.x, particularly around handling of complex HTML structures and edge cases that could lead to XSS vulnerabilities in previous versions.

Code Changes

The main code change is in sanitize.ts where we add an explicit type annotation for the sanitize() function. DOMPurify 3.x returns TrustedHTML | string, which can break TypeScript declaration emit. The type annotation ensures portability:

const sanitize = DOMPurify.sanitize as (
  dirty: string | Node,
  cfg?: DOMPurify.Config
) => string;

This change maintains backward compatibility while leveraging DOMPurify 3.x security improvements.

Test Results

  • ✅ Frontend tests: All 15 test suites passed (90 tests)
  • ✅ TypeScript compilation: Type checking passed successfully

Related PRs

Part of the frontend security upgrade series split from getredash#7720:

Made with Cursor

@wtfiwtz @cursoragent
security: upgrade dompurify to 3.4.0 for XSS protection
ce30d58 
Upgrade dompurify from 2.x to 3.4.0 to address XSS bypass vulnerabilities
and improve DOM clobbering attack protection.

Changes:
- package.json: Update dompurify ^2.0.17 → ^3.4.0
- viz-lib/package.json: Update dompurify ^2.0.7 → ^3.4.0
- viz-lib/package.json: Remove @types/dompurify (no longer needed for v3)
- viz-lib/src/services/sanitize.ts: Add explicit type annotation for
  DOMPurify 3.x sanitize() return type to ensure TypeScript declaration
  emit remains portable (TrustedHTML | string → string)
- Regenerate pnpm-lock.yaml

CVEs Addressed:
- Multiple XSS bypass fixes in DOMPurify 3.x series
- Improved sanitization for DOM clobbering attacks
- Enhanced protection against attribute-based XSS vectors
- Better handling of edge cases in HTML parsing and sanitization

DOMPurify 3.x includes significant security improvements over 2.x,
particularly around handling of complex HTML structures and edge cases
that could lead to XSS vulnerabilities.

Test Results:
- Frontend tests: ✓ All 15 test suites passed (90 tests)
- TypeScript compilation: ✓ Type checking passed

Co-authored-by: Cursor <cursoragent@cursor.com>
@wtfiwtz wtfiwtz closed this Jun 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz