[GHSA-cjmm-f4jc-qw8r] DOMPurify ADD_ATTR predicate skips URI validation

[alejandl-msft]

Updates

• Affected products

Comments
2.5.9 also has a patch for this

[github]

Hi there @cure53! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[shelbyc]

Hi @alejandl-msft, where did you find information about version 2.5.9 also having a patch? https://github.com/cure53/DOMPurify/releases/tag/3.3.2 has an item called Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth that refers to a patch in 3.3.2, but https://github.com/cure53/DOMPurify/releases/tag/2.5.9 doesn't have a similar line. I also tried comparing cure53/DOMPurify@2.5.8...2.5.9 and cure53/DOMPurify@3.3.1...3.3.2 but wasn't able to find a fix for _isValidAttribute in cure53/DOMPurify@2.5.8...2.5.9.