datenba-ch/datenfeuer

Fork 0

Update dependency sanitize-html to v2.17.5 #8

Open

renovate wants to merge 1 commit from renovate/sanitize-html-2.x-lockfile into main

renovate commented

2026-06-14 03:26:12 +02:00

Owner

This PR contains the following updates:

Package	Change	Age	Confidence
sanitize-html (source)	`2.17.0` → `2.17.5`
@types/sanitize-html (source)	`2.16.0` → `2.16.1`

Release Notes

apostrophecms/apostrophe (sanitize-html)

`v2.17.5`

Compare Source

Security

Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

`v2.17.4`

Compare Source

Changes

sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

`v2.17.3`

Compare Source

Security

Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

`v2.17.2`

Compare Source

Changes

Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &#0000001) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

`v2.17.1`

Compare Source

Fixes

Fix unclosed tags (e.g., <hello) returning empty string in escape and recursiveEscape modes. Fixes #706.
Thanks to Byeong Hyeon for the fix.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/main/packages/sanitize-html#readme) ([source](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html)) | [`2.17.0` → `2.17.5`](https://renovatebot.com/diffs/npm/sanitize-html/2.17.0/2.17.5) | ![age](https://developer.mend.io/api/mc/badges/age/npm/sanitize-html/2.17.5?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/sanitize-html/2.17.0/2.17.5?slim=true) | | [@types/sanitize-html](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/sanitize-html) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sanitize-html)) | [`2.16.0` → `2.16.1`](https://renovatebot.com/diffs/npm/@types%2fsanitize-html/2.16.0/2.16.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fsanitize-html/2.16.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fsanitize-html/2.16.0/2.16.1?slim=true) | --- ### Release Notes <details> <summary>apostrophecms/apostrophe (sanitize-html)</summary> ### [`v2.17.5`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2175-2026-06-10) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.4...sanitize-html@2.17.5) ##### Security - Added a number of new attributes to be protected against unsafe URLs, e.g. `javascript:` and similar. None of these are used in the default configuration of `sanitize-html` or `apostrophe` or likely to be used there, and some attributes, like an `action` for a `form`, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to [crattack](https://github.com/crattack) for reporting the vulnerability. - Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to [Dipanshu singh](https://github.com/Dipanshusinghh) for pointing out the issue and contributing the fix. ### [`v2.17.4`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2174) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.3...sanitize-html@2.17.4) ##### Changes - `sanitize-html` and `launder` now share a single implementation of `naughtyHref`, based on that which previously existed in `sanitize-html`. ##### Security - Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to [Vincenzo Turturro](https://github.com/sushi-gif) for reporting the vulnerability. ### [`v2.17.3`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2173-2026-04-15) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.2...sanitize-html@2.17.3) ##### Security - Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit `option` tags. There was no vulnerability when not explicitly allowing `option` tags. ### [`v2.17.2`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2172-2026-03-19) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/sanitize-html@2.17.1...sanitize-html@2.17.2) ##### Changes - Upgrade `htmlparser2` from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., `&#0000001`) that previously bypassed `javascript:` URL detection. Also fixes double-encoding of entities inside raw text elements like `textarea` and `option`. ### [`v2.17.1`](https://github.com/apostrophecms/apostrophe/blob/HEAD/packages/sanitize-html/CHANGELOG.md#2171-2026-02-18) [Compare Source](https://github.com/apostrophecms/apostrophe/compare/2.17.0...sanitize-html@2.17.1) ##### Fixes - Fix unclosed tags (e.g., `<hello`) returning empty string in `escape` and `recursiveEscape` modes. Fixes [#706](https://github.com/apostrophecms/sanitize-html/issues/706). Thanks to [Byeong Hyeon](https://github.com/choi2601) for the fix. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit

2026-06-14 03:26:12 +02:00

Update dependency sanitize-html to v2.17.5 f072ccc710

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/sanitize-html-2.x-lockfile:renovate/sanitize-html-2.x-lockfile

git switch renovate/sanitize-html-2.x-lockfile

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff renovate/sanitize-html-2.x-lockfile

git switch renovate/sanitize-html-2.x-lockfile

git rebase main

git switch main

git merge --ff-only renovate/sanitize-html-2.x-lockfile

git switch renovate/sanitize-html-2.x-lockfile

git rebase main

git switch main

git merge --no-ff renovate/sanitize-html-2.x-lockfile

git switch main

git merge --squash renovate/sanitize-html-2.x-lockfile