Bump sanitize-html from 2.17.3 to 2.17.4

[dependabot]

Bumps sanitize-html from 2.17.3 to 2.17.4.

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

• sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade sanitize-html to 2.17.4 to fix a security issue where the xmp tag could bypass sanitization. This mitigates XSS risk with no application code changes.

• Dependencies
  • Bumped sanitize-html from 2.17.3 to 2.17.4.
  • Adds transitive launder@^1.7.1 and dayjs@^1.11.7.
  • Updated package-lock.json and yarn.lock.

^{Written for commit 3a0353c. Summary will update on new commits.}

[github-actions]

🤖 Hi @dependabot[bot], I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

🤖 I'm sorry @dependabot[bot], but I was unable to process your request. Please see the logs for more details.

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Architecture diagram

sequenceDiagram
    participant Client as Web Client
    participant App as Application Server
    participant Sanitizer as sanitize-html 2.17.4
    participant Launder as launder (shared)

    Note over Client,Launder: HTML Sanitization Flow (Security Critical)

    Client->>App: Submit user-generated HTML content
    App->>Sanitizer: sanitize(html, options)
    
    Note over Sanitizer: NEW: xmp tag properly handled<br>as forbidden content wrapper
    
    Sanitizer->>Launder: CHANGED: naughtyHref() shared implementation
    
    alt Unchanged path - allowed tags
        Launder-->>Sanitizer: clean href values
        Sanitizer->>Sanitizer: Parse allowed tags and attributes
        Sanitizer-->>App: Sanitized HTML (safe)
    else CHANGED path - xmp tag present
        Launder-->>Sanitizer: clean href values
        Sanitizer->>Sanitizer: NEW: Correctly process xmp as forbidden<br>instead of allowing embedded tags
        Sanitizer-->>App: Sanitized HTML (xmp content stripped)
    end

    alt Malicious content detected
        Sanitizer->>Sanitizer: Strip forbidden tags (including xmp)
        Sanitizer-->>App: Clean HTML output
    end
    
    App-->>Client: Return sanitized content

Loading