Update dependency dompurify to v2.5.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
dompurify	2.0.12 -> 2.5.4

GitHub Vulnerability Alerts

CVE-2019-16728

Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">. This allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 2.0.3 or later. You may also disallow <svg> and <math> through dompurify configurations:

     FORBID_TAGS: ['svg', 'math']
 });```

#### [GHSA-mjjq-c88q-qhr6](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.0.7)

Versions of `dompurify` prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim's browser.

## Recommendation

Upgrade to version 2.0.7 or later.

#### [CVE-2020-26870](https://nvd.nist.gov/vuln/detail/CVE-2020-26870)

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

#### [CVE-2019-25155](https://nvd.nist.gov/vuln/detail/CVE-2019-25155)

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.

#### [CVE-2024-45801](https://redirect.github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674)

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.

This renders dompurify unable to avoid XSS attack.

Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

#### [CVE-2024-47875](https://redirect.github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf)

DOMpurify was vulnerable to nesting-based mXSS 

fixed by [0ef5e537](https://redirect.github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d7185f) (2.x) and
[merge 943](https://redirect.github.com/cure53/DOMPurify/pull/943)

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under [test](https://redirect.github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098)

---

### Release Notes

<details>
<summary>cure53/DOMPurify (dompurify)</summary>

### [`v2.5.4`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.5.4): DOMPurify 2.5.4

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.5.3...2.5.4)

-   Fixed a bug with latest `isNaN` checks affecting MSIE, thanks [@&#8203;tulach](https://redirect.github.com/tulach)
-   Fixed the tests for MSIE and fixed related test-runner

### [`v2.5.3`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.5.3): DOMPurify 2.5.3

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.5.2...2.5.3)

-   Fixed several mXSS variations found by and thanks to [@&#8203;kevin-mizu](https://redirect.github.com/kevin-mizu) & [@&#8203;Ry0taK](https://redirect.github.com/Ry0taK)
-   Added better configurability for comment scrubbing default behavior
-   Added better hardening against Prototype Pollution attacks, thanks [@&#8203;kevin-mizu](https://redirect.github.com/kevin-mizu)
-   Fixed some smaller issues in README and other documentation

### [`v2.5.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.5.2): DOMPurify 2.5.2

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.5.1...2.5.2)

-   Addressed and fixed a mXSS variation found by [@&#8203;kevin-mizu](https://redirect.github.com/kevin-mizu)
-   Addressed and fixed a mXSS variation found by [Adam Kues](https://twitter.com/hash_kitten) of Assetnote
-   Updated tests for older Safari and Chrome versions

### [`v2.5.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.5.1): DOMPurify 2.5.1

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.5.0...2.5.1)

-   Fixed an mXSS sanitizer bypass reported by [@&#8203;icesfont](https://redirect.github.com/icesfont)
-   Added new code to track element nesting depth
-   Added new code to enforce a maximum nesting depth of 255
-   Added coverage tests and necessary clobbering protections

**Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.**

### [`v2.5.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.5.0): DOMPurify 2.5.0

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.9...2.5.0)

-   Added new setting `SAFE_FOR_XML` to enable better control over comment scrubbing
-   Updated the LICENSE file to show the accurate year number
-   Updated several build and test dependencies

### [`v2.4.9`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.9): DOMPurify 2.4.9

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.8...2.4.9)

-   Fixed another conditional bypass caused by Processing Instructions, thanks [@&#8203;Ry0taK](https://redirect.github.com/Ry0taK)
-   Fixed the regex for HTML Custom Element detection, thanks [@&#8203;AlekseySolovey3T](https://redirect.github.com/AlekseySolovey3T)

### [`v2.4.8`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.8): DOMPurify 2.4.8

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.7...2.4.8)

-   Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks [@&#8203;Slonser](https://redirect.github.com/Slonser)

### [`v2.4.7`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.7): DOMPurify 2.4.7

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.6...2.4.7)

-   Fixed a licensing issue spotted and reported by [@&#8203;george-thomas-hill](https://redirect.github.com/george-thomas-hill)

### [`v2.4.6`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.6): DOMPurify 2.4.6

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.5...2.4.6)

-   Fixed a bypass in jsdom 22 in case the `noframes` element is permitted, thanks [@&#8203;leeN](https://redirect.github.com/leeN)

### [`v2.4.5`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.5): DOMPurify 2.4.5

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.4...2.4.5)

-   Fixed a problem with improper reset of custom HTML options, thanks [@&#8203;ammaraskar](https://redirect.github.com/ammaraskar)

### [`v2.4.4`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.4): DOMPurify 2.4.4

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.3...2.4.4)

-   Added support for `ALLOW_SELF_CLOSE_IN_ATTR` flag, thanks [@&#8203;edg2s](https://redirect.github.com/edg2s) [@&#8203;AndreVirtimo](https://redirect.github.com/AndreVirtimo)
-   Added better support for `shadowrootmode`, thanks [@&#8203;mfreed7](https://redirect.github.com/mfreed7)

### [`v2.4.3`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.3): DOMPurify 2.4.3

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.2...2.4.3)

-   Final release that is compatible with MSIE10 & MSIE 11

### [`v2.4.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.2): DOMPurify 2.4.2

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.1...2.4.2)

-   Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Fixed a Prototype Pollution issue discovered and reported by [@&#8203;kevin-mizu](https://redirect.github.com/kevin-mizu)

### [`v2.4.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.1): DOMPurify 2.4.1

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.4.0...2.4.1)

-   Added new config option `ALLOWED_NAMESPACES` for better XML handling, thanks [@&#8203;kevin-deyoungster](https://redirect.github.com/kevin-deyoungster) [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Added better detection of template literals when ` SAFE_FOR_TEMPLATES  ` is `true`
-   Fixed an exception caused by DOM clobbering, thanks [@&#8203;masatokinugawa](https://redirect.github.com/masatokinugawa)
-   Bumped some dependencies, thanks [@&#8203;marcpenya-tf](https://redirect.github.com/marcpenya-tf)

### [`v2.4.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.4.0): DOMPurify 2.4.0

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.12...2.4.0)

-   Removed bundled types again as they caused too much trouble

### [`v2.3.12`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.12): DOMPurify 2.3.12

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.11...2.3.12)

-   Fixed an issue in 2.3.11 causing errors w. TypeScript, see [#&#8203;712](https://redirect.github.com/cure53/DOMPurify/issues/712), thanks [@&#8203;Mirco469](https://redirect.github.com/Mirco469), [@&#8203;brentkeller](https://redirect.github.com/brentkeller), [@&#8203;aryanisml](https://redirect.github.com/aryanisml)

### [`v2.3.11`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.11): DOMPurify 2.3.11

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.10...2.3.11)

-   Added generated type definitions for better compatibility
-   Added SANITIZE_NAMED_PROPS config option, thanks [@&#8203;SoheilKhodayari](https://redirect.github.com/SoheilKhodayari)
-   Updated README and config documentation, thanks [@&#8203;0xedward](https://redirect.github.com/0xedward)
-   Updated test suite with newer Node versions

### [`v2.3.10`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.10): DOMPurify 2.3.10

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.9...2.3.10)

-   Added support for sanitization of attributes requiring Trusted Types, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)

### [`v2.3.9`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.9): DOMPurify 2.3.9

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.8...2.3.9)

-   Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Bumped some dependencies, thanks [@&#8203;is2ei](https://redirect.github.com/is2ei)
-   Included github-actions in the dependabot config, thanks [@&#8203;nathannaveen](https://redirect.github.com/nathannaveen)

### [`v2.3.8`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.8): DOMPurify 2.3.8

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/6fa9e5c0b5535a2f9f38821a9fc9f17cadb7cd77...2.3.8)

-   Cleaned up a minor issue with the 2.3.7 release, thanks [@&#8203;johnbirds](https://redirect.github.com/johnbirds)

No other changes compared to 2.3.7 release, which entail:

-   Fixes around a bug in Safari, thanks [@&#8203;sybrew](https://redirect.github.com/sybrew)
-   Slightly improved performance, thanks [@&#8203;tiny-ben-tran](https://redirect.github.com/tiny-ben-tran)
-   Lots of chores, bumps and typo fixes, thanks [@&#8203;is2ei](https://redirect.github.com/is2ei)
-   Removed unnecessary string trimming, thanks [@&#8203;christopherehlen](https://redirect.github.com/christopherehlen)

### [`v2.3.7`](https://redirect.github.com/cure53/DOMPurify/compare/2.3.6...6fa9e5c0b5535a2f9f38821a9fc9f17cadb7cd77)

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.6...6fa9e5c0b5535a2f9f38821a9fc9f17cadb7cd77)

### [`v2.3.6`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.6): DOMPurify 2.3.6

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.5...2.3.6)

-   Added an option to allow HTML5 doctypes, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Bumped several dependencies, thanks [@&#8203;is2ei](https://redirect.github.com/is2ei)
-   Updated documentation to cover recently added flags, thanks [@&#8203;is2ei](https://redirect.github.com/is2ei)

### [`v2.3.5`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.5): DOMPurify 2.3.5

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.4...2.3.5)

-   Performed several chores and cleanups, thanks [@&#8203;is2ei](https://redirect.github.com/is2ei)
-   Fixed a bug when working with Trusted Types, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Fixed a bug with weird behavior on insecure nodes in IN_PLACE mode, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)
-   Added more SVG attributes to allow-list, thanks [@&#8203;rzhade3](https://redirect.github.com/rzhade3)

### [`v2.3.4`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.4): DOMPurify 2.3.4

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.3...2.3.4)

-   Added support for Custom Elements, thanks [@&#8203;franktopel](https://redirect.github.com/franktopel)
-   Added new config settings to control Custom Element sanitizing, thanks [@&#8203;franktopel](https://redirect.github.com/franktopel)
-   Added faster clobber checks, thanks [@&#8203;GrantGryczan](https://redirect.github.com/GrantGryczan)
-   Allow-listed SVG `feImage` elements, thanks [@&#8203;ydaniv](https://redirect.github.com/ydaniv)
-   Updated test suite
-   Update supported Node versions
-   Updated README

### [`v2.3.3`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.3): DOMPurify 2.3.3

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.2...2.3.3)

-   Fixed a bug in the handing of `PARSER_MEDIA_TYPE` spotted by [@&#8203;securitum-mb](https://redirect.github.com/securitum-mb)
-   Adjusted the tests for MSIE to make sure the results are as expected now

### [`v2.3.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.2): DOMPurify 2.3.2

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.1...2.3.2)

-   Added new config option `PARSER_MEDIA_TYPE`, thanks [@&#8203;tosmolka](https://redirect.github.com/tosmolka)

### [`v2.3.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.1): DOMPurify 2.3.1

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.3.0...2.3.1)

-   Added code to make `FORBID_CONTENTS` setting configurable
-   Added `role` to URI-safe attributes
-   Added more paranoid handling for template elements

### [`v2.3.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.3.0): DOMPurify 2.3.0

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.9...2.3.0)

-   Added better handling of document creation on Firefox
-   Added better handling of version numbers in license file
-   Added two new browser versions to test suite config
-   Fixed a bug with handling of custom data attributes

### [`v2.2.9`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.9): DOMPurify 2.2.9

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.8...2.2.9)

-   Fixed some minor issues related to the `NAMESPACE` config
-   Fixed some minor issues relating to empty input
-   Fixed some minor issues relating to handling of invalid XML

### [`v2.2.8`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.8): DOMPurify 2.2.8

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.7...2.2.8)

-   Added `NAMESPACE` config option, thanks [@&#8203;NateScarlet](https://redirect.github.com/NateScarlet)
-   Added better fallback for older browsers & PhantomJS, thanks [@&#8203;albanx](https://redirect.github.com/albanx)
-   Extended allow-list for SVG attributes a bit

### [`v2.2.7`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.7): DOMPurify 2.2.7

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.6...2.2.7)

-   Fixed handling of unsupported browsers, i.e. Safari 9 and older
-   Fixed various minor bugs and typos in README and examples
-   Added better handling of potentially harmful "is" attributes
-   Added better handling of *lookupGetter* functionality

### [`v2.2.6`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.6): DOMPurify 2.2.6

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/8a1c8876a7552b44da7fea579965136058d966b9...2.2.6)

-   Added new mXSS prevention logic created by [SecurityMB](https://twitter.com/SecurityMB)

### [`v2.2.5`](https://redirect.github.com/cure53/DOMPurify/compare/2.2.4...8a1c8876a7552b44da7fea579965136058d966b9)

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.4...8a1c8876a7552b44da7fea579965136058d966b9)

### [`v2.2.4`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.4): DOMPurify 2.2.4

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.3...2.2.4)

-   Fixed a new MathML-based bypass submitted by [PewGrand](https://twitter.com/PewGrand)
-   Fixed a new SVG-related bypass submitted by [SecurityMB](https://twitter.com/SecurityMB)
-   Updated NodeJS CI to Node 14.x and Node 15.x
-   Cleaned up `_forceRemove` logic for better reliability

### [`v2.2.3`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.3): DOMPurify 2.2.3

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.2...2.2.3)

-   Fixed an mXSS issue reported by [PewGrand](https://twitter.com/PewGrand)
-   Fixed a minor issue with the license header
-   Fixed a problem with overly-eager CSS stripping
-   Updated the README and removed an XSS warning

### [`v2.2.2`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.2): DOMPurify 2.2.2

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/0771f47e1679e6b9b7979e0318a29776bfb0adf4...2.2.2)

-   Fixed an mXSS bypass dropped on us publicly via [#&#8203;482](https://redirect.github.com/cure53/DOMPurify/issues/482)
-   Fixed an mXSS variation that was reported privately short after
-   Added dialog to permitted elements list
-   Fixed a small typo in the README

### [`v2.2.1`](https://redirect.github.com/cure53/DOMPurify/compare/2.2.0...0771f47e1679e6b9b7979e0318a29776bfb0adf4)

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.2.0...0771f47e1679e6b9b7979e0318a29776bfb0adf4)

### [`v2.2.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.2.0): DOMPurify 2.2.0

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.1.1...2.2.0)

-   Fix a possible XSS in Chrome that is hidden behind *#enable-experimental-web-platform-features*, reported by [@&#8203;neilj](https://redirect.github.com/neilj) and [@&#8203;mfreed7](https://redirect.github.com/mfreed7)
-   Changed `RETURN_DOM_IMPORT` default to `true` to address said possible XSS
-   Updated README to reflect the new change and inform about the risks of manually setting `RETURN_DOM_IMPORT` back to `false`
-   Fixed the tests to properly address the new default

### [`v2.1.1`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.1.1): DOMPurify 2.1.1

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.1.0...2.1.1)

-   Removed some code targeting old Safari versions
-   Removed some code targeting older MS Edge versions
-   Re-added some code targeting older Chrome versions, thanks [@&#8203;terjanq](https://redirect.github.com/terjanq)
-   Added new tests and removed unused SAFE_FOR_JQUERY test cases
-   Added Node 14.x to existing test coverage

### [`v2.1.0`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.1.0): DOMPurify 2.1.0

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.17...2.1.0)

-   Fixed several possible mXSS patterns, thanks [@&#8203;hackvertor](https://redirect.github.com/hackvertor)
-   Removed the `SAFE_FOR_JQUERY` flag (we are safe by default now for jQuery)
-   Removed several now useless mXSS checks
-   Updated the mXSS check for elements
-   Updated test cases to cover new sanitization strategy
-   Updated test website to use newer jQuery
-   Updated array of tested browsers and removed legacy browsers
-   Added "auto convert" checkbox to test website, thanks [@&#8203;hackvertor](https://redirect.github.com/hackvertor)

### [`v2.0.17`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.0.17): DOMPurify 2.0.17

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.16...2.0.17)

-   Fixed another bypass causing mXSS by using MathML

### [`v2.0.16`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.0.16): DOMPurify 2.0.16

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.15...2.0.16)

-   Fixed an mXSS-based bypass caused by nested forms inside MathML
-   Fixed a security error thrown on older Chrome on Android versions, see [#&#8203;470](https://redirect.github.com/cure53/DOMPurify/issues/470)

Credits for the bypass go to Michał Bentkowski ([@&#8203;securityMB](https://redirect.github.com/securityMB)) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:

### [`v2.0.15`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.0.15): DOMPurify 2.0.15

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.14...2.0.15)

-   Added a renovated test suite, thanks [@&#8203;peernohell](https://redirect.github.com/peernohell)
-   Fixed some minor linter warnings

### [`v2.0.14`](https://redirect.github.com/cure53/DOMPurify/releases/tag/2.0.14): DOMPurify 2.0.14

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.13...2.0.14)

-   Fixed a problem with the documentMode default value

### [`v2.0.13`](https://redirect.github.com/cure53/DOMPurify/compare/2.0.12...2.0.13)

[Compare Source](https://redirect.github.com/cure53/DOMPurify/compare/2.0.12...2.0.13)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/dsi-icl/borderline).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xOC4xNyIsInVwZGF0ZWRJblZlciI6IjM4LjExNS4xIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6W119-->