Bump dompurify

extensions/markdown-language-features/package.json

@@ -722,7 +722,7 @@
   },
   "dependencies": {
     "@vscode/extension-telemetry": "0.7.5",
-    "dompurify": "^2.4.1",
+    "dompurify": "^3.0.5",
     "highlight.js": "^11.8.0",
     "markdown-it": "^12.3.2",
     "markdown-it-front-matter": "^0.2.1",
@@ -732,7 +732,7 @@
     "vscode-uri": "^3.0.3"
   },
   "devDependencies": {
-    "@types/dompurify": "^2.3.1",
+    "@types/dompurify": "^3.0.2",
     "@types/lodash.throttle": "^4.1.3",
     "@types/markdown-it": "12.2.3",
     "@types/picomatch": "^2.3.0",

extensions/markdown-language-features/yarn.lock

@@ -165,10 +165,10 @@
   resolved "https://registry.yarnpkg.com/@tootallnate/once/-/once-2.0.0.tgz#f544a148d3ab35801c1f633a7441fd87c2e484bf"
   integrity sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==
 
-"@types/dompurify@^2.3.1":
-  version "2.3.1"
-  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-2.3.1.tgz#2934adcd31c4e6b02676f9c22f9756e5091c04dd"
-  integrity sha512-YJth9qa0V/E6/XPH1Jq4BC8uCMmO8V1fKWn8PCvuZcAhMn7q0ez9LW6naQT04UZzjFfAPhyRMZmI2a2rbMlEFA==
+"@types/dompurify@^3.0.2":
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/@types/dompurify/-/dompurify-3.0.2.tgz#c1cd33a475bc49c43c2a7900e41028e2136a4553"
+  integrity sha512-YBL4ziFebbbfQfH5mlC+QTJsvh0oJUrWbmxKMyEdL7emlHJqGR2Qb34TEFKj+VCayBvjKy3xczMFNhugThUsfQ==
   dependencies:
     "@types/trusted-types" "*"
 
@@ -352,10 +352,10 @@ diagnostic-channel@1.1.0:
   dependencies:
     semver "^5.3.0"
 
-dompurify@^2.4.1:
-  version "2.4.1"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.1.tgz#f9cb1a275fde9af6f2d0a2644ef648dd6847b631"
-  integrity sha512-ewwFzHzrrneRjxzmK6oVz/rZn9VWspGFRDb4/rRtIsM1n36t9AKma/ye8syCpcw+XJ25kOK/hOG7t1j2I2yBqA==
+dompurify@^3.0.5:
+  version "3.0.5"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.0.5.tgz#eb3d9cfa10037b6e73f32c586682c4b2ab01fbed"
+  integrity sha512-F9e6wPGtY+8KNMRAVfxeCOHU0/NPWMSENNq4pQctuXRqqdEPW7q3CrLbR5Nse044WwacyjHGOMlvNsBe1y6z9A==
 
 emitter-listener@^1.0.1, emitter-listener@^1.1.1:
   version "1.1.2"

src/vs/base/browser/dompurify/cgmanifest.json

@@ -6,11 +6,11 @@
 				"git": {
 					"name": "dompurify",
 					"repositoryUrl": "https://github.com/cure53/DOMPurify",
-					"commitHash": "6cfcdf56269b892550af80baa7c1fa5b680e5db7"
+					"commitHash": "c96c9df61f1070146c0c13078e85b33d8fed3e51"
 				}
 			},
 			"license": "Apache 2.0",
-			"version": "2.3.1"
+			"version": "3.0.5"
 		}
 	],
 	"version": 1

src/vs/base/browser/dompurify/dompurify.d.ts

@@ -1,4 +1,4 @@
-// Type definitions for DOM Purify 2.2
+// Type definitions for DOM Purify 3.0
 // Project: https://github.com/cure53/DOMPurify
 // Definitions by: Dave Taylor https://github.com/davetayls
 //                 Samira Bazuzi <https://github.com/bazuzi>
@@ -7,27 +7,49 @@
 //                 Piotr Błażejewicz <https://github.com/peterblazejewicz>
 //                 Nicholas Ellul <https://github.com/NicholasEllul>
 // Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+// Minimum TypeScript Version: 4.5
 
 export as namespace DOMPurify;
 export = DOMPurify;
 
 declare const DOMPurify: createDOMPurifyI;
 
+type WindowLike = Pick<
+	typeof globalThis,
+	| 'NodeFilter'
+	| 'Node'
+	| 'Element'
+	| 'HTMLTemplateElement'
+	| 'DocumentFragment'
+	| 'HTMLFormElement'
+	| 'DOMParser'
+	| 'NamedNodeMap'
+>;
+
 interface createDOMPurifyI extends DOMPurify.DOMPurifyI {
-	(window?: Window): DOMPurify.DOMPurifyI;
+	(window?: Window | WindowLike): DOMPurify.DOMPurifyI;
 }
 
 declare namespace DOMPurify {
 	interface DOMPurifyI {
 		sanitize(source: string | Node): string;
 		sanitize(source: string | Node, config: Config & { RETURN_TRUSTED_TYPE: true }): TrustedHTML;
-		sanitize(source: string | Node, config: Config & { RETURN_DOM_FRAGMENT?: false | undefined; RETURN_DOM?: false | undefined }): string;
+		sanitize(
+			source: string | Node,
+			config: Config & { RETURN_DOM_FRAGMENT?: false | undefined; RETURN_DOM?: false | undefined },
+		): string;
 		sanitize(source: string | Node, config: Config & { RETURN_DOM_FRAGMENT: true }): DocumentFragment;
 		sanitize(source: string | Node, config: Config & { RETURN_DOM: true }): HTMLElement;
 		sanitize(source: string | Node, config: Config): string | HTMLElement | DocumentFragment;
 
-		addHook(hook: 'uponSanitizeElement', cb: (currentNode: Element, data: SanitizeElementHookEvent, config: Config) => void): void;
-		addHook(hook: 'uponSanitizeAttribute', cb: (currentNode: Element, data: SanitizeAttributeHookEvent, config: Config) => void): void;
+		addHook(
+			hook: 'uponSanitizeElement',
+			cb: (currentNode: Element, data: SanitizeElementHookEvent, config: Config) => void,
+		): void;
+		addHook(
+			hook: 'uponSanitizeAttribute',
+			cb: (currentNode: Element, data: SanitizeAttributeHookEvent, config: Config) => void,
+		): void;
 		addHook(hook: HookName, cb: (currentNode: Element, data: HookEvent, config: Config) => void): void;
 
 		setConfig(cfg: Config): void;
@@ -47,33 +69,54 @@ declare namespace DOMPurify {
 		ADD_ATTR?: string[] | undefined;
 		ADD_DATA_URI_TAGS?: string[] | undefined;
 		ADD_TAGS?: string[] | undefined;
+		ADD_URI_SAFE_ATTR?: string[] | undefined;
+		ALLOW_ARIA_ATTR?: boolean | undefined;
 		ALLOW_DATA_ATTR?: boolean | undefined;
+		ALLOW_UNKNOWN_PROTOCOLS?: boolean | undefined;
+		ALLOW_SELF_CLOSE_IN_ATTR?: boolean | undefined;
 		ALLOWED_ATTR?: string[] | undefined;
 		ALLOWED_TAGS?: string[] | undefined;
+		ALLOWED_NAMESPACES?: string[] | undefined;
+		ALLOWED_URI_REGEXP?: RegExp | undefined;
 		FORBID_ATTR?: string[] | undefined;
+		FORBID_CONTENTS?: string[] | undefined;
 		FORBID_TAGS?: string[] | undefined;
 		FORCE_BODY?: boolean | undefined;
+		IN_PLACE?: boolean | undefined;
 		KEEP_CONTENT?: boolean | undefined;
 		/**
 		 * change the default namespace from HTML to something different
 		 */
 		NAMESPACE?: string | undefined;
-		RETURN_DOM?: boolean | undefined;
+		PARSER_MEDIA_TYPE?: string | undefined;
 		RETURN_DOM_FRAGMENT?: boolean | undefined;
 		/**
 		 * This defaults to `true` starting DOMPurify 2.2.0. Note that setting it to `false`
 		 * might cause XSS from attacks hidden in closed shadowroots in case the browser
 		 * supports Declarative Shadow: DOM https://web.dev/declarative-shadow-dom/
 		 */
 		RETURN_DOM_IMPORT?: boolean | undefined;
+		RETURN_DOM?: boolean | undefined;
 		RETURN_TRUSTED_TYPE?: boolean | undefined;
+		SAFE_FOR_TEMPLATES?: boolean | undefined;
 		SANITIZE_DOM?: boolean | undefined;
+		/** @default false */
+		SANITIZE_NAMED_PROPS?: boolean | undefined;
+		USE_PROFILES?:
+		| false
+		| {
+			mathMl?: boolean | undefined;
+			svg?: boolean | undefined;
+			svgFilters?: boolean | undefined;
+			html?: boolean | undefined;
+		}
+		| undefined;
 		WHOLE_DOCUMENT?: boolean | undefined;
-		ALLOWED_URI_REGEXP?: RegExp | undefined;
-		SAFE_FOR_TEMPLATES?: boolean | undefined;
-		ALLOW_UNKNOWN_PROTOCOLS?: boolean | undefined;
-		USE_PROFILES?: false | { mathMl?: boolean | undefined; svg?: boolean | undefined; svgFilters?: boolean | undefined; html?: boolean | undefined } | undefined;
-		IN_PLACE?: boolean | undefined;
+		CUSTOM_ELEMENT_HANDLING?: {
+			tagNameCheck?: RegExp | ((tagName: string) => boolean) | null | undefined;
+			attributeNameCheck?: RegExp | ((lcName: string) => boolean) | null | undefined;
+			allowCustomizedBuiltInElements?: boolean | undefined;
+		};
 	}
 
 	type HookName =