Prasad P. Pawar created ATLAS-5278:
--------------------------------------
Summary: Atlas UI: Upgrade dompurify to 3.4.0
Key: ATLAS-5278
URL: https://issues.apache.org/jira/browse/ATLAS-5278
Project: Atlas
Issue Type: Improvement
Components: atlas-webui
Affects Versions: 3.0.0
Reporter: Prasad P. Pawar
Assignee: Prasad P. Pawar
h2. Files to touch for the fix (DOMPurify 3.4.0)
||Area||Action||
|{{dashboardv2/public/js/external_lib/dompurify/purify.min.js}}|Replace with
the 3.4.0 build (same filename/path so RequireJS in {{main.js}} /
{{migration.js}} usually stays the same).|
|{{dashboardv2/public/js/main.js}}|Only if you change path/filename (normally
no change).|
|{{dashboardv2/public/js/migration.js}}|Same as {{{}main.js{}}}.|
|{{dashboardv2/public/js/utils/Utils.js}}|Review only — already calls
{{DOMPurify.sanitize(editorContent, config)}} with {{FORBID_TAGS}} /
{{FORBID_ATTR}} (relevant to CVE-2026-41240 class of issues before 3.4.0).
Unlikely to need API changes if you keep the same config shape.|
|License / notices|If the project documents bundled versions (e.g.
{{{}LICENSE{}}}, {{{}docs/.../ProjectLicense.md{}}}, {{{}3party-licenses/{}}}),
bump the stated DOMPurify version to 3.4.0 if those files mention it (current
grep did not find DOMPurify in {{{}LICENSE{}}}; still worth a manual read).|
No {{package.json}} bump in {{dashboardv2}} for DOMPurify today because it is
not an npm dependency there—only the vendored file.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
