Skip to content

Bump sanitize-html from 2.17.4 to 2.17.5#340

Merged
stopfstedt merged 1 commit into
masterfrom
dependabot/npm_and_yarn/sanitize-html-2.17.5
Jun 18, 2026
Merged

Bump sanitize-html from 2.17.4 to 2.17.5#340
stopfstedt merged 1 commit into
masterfrom
dependabot/npm_and_yarn/sanitize-html-2.17.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps sanitize-html from 2.17.4 to 2.17.5.

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

  • Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
  • Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump sanitize-html from 2.17.4 to 2.17.5
ec32f96 
Bumps [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) from 2.17.4 to 2.17.5.
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/sanitize-html@2.17.5/packages/sanitize-html)

---
updated-dependencies:
- dependency-name: sanitize-html
  dependency-version: 2.17.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 18, 2026
@netlify

netlify Bot commented Jun 18, 2026

Copy link
Copy Markdown

Deploy Preview for iliosproject ready!

Name Link
🔨 Latest commit ec32f96
🔍 Latest deploy log https://app.netlify.com/projects/iliosproject/deploys/6a33e83b37637700081cced5
😎 Deploy Preview https://deploy-preview-340--iliosproject.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions

github-actions Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

✅ Visual Diff Approved

❌ Visual Diff Report — FAILED

54 images compared: 2 different · 52 identical

Details

Differences (2)

File Diff % Notes
news-webkit-1280x720.png 0.03%
parking-pricing-webkit-1280x720.png 2.07%

Download the results.

@stopfstedt stopfstedt self-assigned this Jun 18, 2026
@stopfstedt stopfstedt merged commit 447c3b0 into master Jun 18, 2026
12 of 19 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/sanitize-html-2.17.5 branch June 18, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stopfstedt stopfstedt stopfstedt approved these changes

Assignees

@stopfstedt stopfstedt

Labels

approve visual diff dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stopfstedt