Bump dompurify from 1.0.8 to 2.0.3 in /backend/server/public

[dependabot]

Bumps dompurify from 1.0.8 to 2.0.3.

Release notes

Sourced from dompurify's releases.

DOMPurify 2.0.3

• Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
• Fixed a bug in the config parser leading to unexpected results

Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

DOMPurify 2.0.2

Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.

This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.

Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.

DOMPurify 2.0.1

• Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
• Added tests to cover implemented fixes

Credits go to Michał Bentkowski (@SecurityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. 🙇

DOMPurify 2.0.0

Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.

• Changed the default behavior for Trusted Types (See #361)
• Added a new config flag to manually enable Trusted Types support
• Added support for more attributes
• Fixed a minor CSP warning

DOMPurify 1.0.11

• Fixed a minor problem with persistent config flags
• Fixed a problem with extraneous HTML elements
• Fixed some minor issues in README and Demo
• Expanded the array of permitted SVG properties
• Expanded the array of permitted HTML properties

DOMPurify 1.0.10

• Fixed a possible security problem when SAFE_FOR_TEMPLATES is true (default is false), thanks @masatokinugawa
• Fixed a security problem when ALLOWED_TAGS or ADD_TAGS white-lists noembed or noscript (not the default), thanks @masatokinugawa
• Added better internal code hardening, thanks @choumx
• Extended the SVG attribute whitelist
• Added more tests
• Added better browser coverage for CI via BrowserStack
• Cleaned up legacy browser coverage for CI via BrowserStack

DOMPurify 1.0.9

• Extended array of tested browsers
• Fixed a build error caused by npm@natives
• Optimized handling of leading white-space
• Squashed a memory leak
• Removed a spurious alert from internal tests

Commits

• d16ba74 Fixed Tests for Chrome 22
• cf6eade Fixed a typo
• 1882b8c Adjusted some more tests for Safari 8 and MSIE10
• db5e71d Adjusted more tests for Safari 8
• 2bcb446 Adjusted the tests to reflect the new "no SVG for Safari 8" situation
• 59dbf8e Trying to target Safari 8 in yet a different way
• 3b31f82 Cahned Safari 8 XSS fix again to be more accurate
• 27a3e6a Used instanceof instead of typeof, duh
• 01984d1 Made the Safari 8 XSS fix be more accurate
• 6ff479b Made the Safari 8 check be more accurate
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #98.