[jira] [Commented] (ATLAS-5278) Atlas UI: Upgrade dompurify to 3.4.0

Wed, 29 Apr 2026 03:18:13 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-5278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18077017#comment-18077017
 ] 

Alisha Dbritto commented on ATLAS-5278:
---------------------------------------

Testing done:
Description input field working correctly
All other input fields (name, labels, terms) working correctly
No XSS issues found
Special characters are sanitized properly in all input fields
Entity detail page inputs working as expected

Build passed. Fix verified and working as expected.

> Atlas UI: Upgrade dompurify to 3.4.0
> ------------------------------------
>
>                 Key: ATLAS-5278
>                 URL: https://issues.apache.org/jira/browse/ATLAS-5278
>             Project: Atlas
>          Issue Type: Improvement
>          Components: atlas-webui
>    Affects Versions: 3.0.0
>            Reporter: Prasad P. Pawar
>            Assignee: Prasad P. Pawar
>            Priority: Major
>              Labels: Atlas-UI
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h2. Files to touch for the fix (DOMPurify 3.4.0)
> ||Area||Action||
> |{{dashboardv2/public/js/external_lib/dompurify/purify.min.js}}|Replace with 
> the 3.4.0 build (same filename/path so RequireJS in {{main.js}} / 
> {{migration.js}} usually stays the same).|
> |{{dashboardv2/public/js/main.js}}|Only if you change path/filename (normally 
> no change).|
> |{{dashboardv2/public/js/migration.js}}|Same as {{{}main.js{}}}.|
> |{{dashboardv2/public/js/utils/Utils.js}}|Review only — already calls 
> {{DOMPurify.sanitize(editorContent, config)}} with {{FORBID_TAGS}} / 
> {{FORBID_ATTR}} (relevant to CVE-2026-41240 class of issues before 3.4.0). 
> Unlikely to need API changes if you keep the same config shape.|
> |License / notices|If the project documents bundled versions (e.g. 
> {{{}LICENSE{}}}, {{{}docs/.../ProjectLicense.md{}}}, 
> {{{}3party-licenses/{}}}), bump the stated DOMPurify version to 3.4.0 if 
> those files mention it (current grep did not find DOMPurify in 
> {{{}LICENSE{}}}; still worth a manual read).|
> No {{package.json}} bump in {{dashboardv2}} for DOMPurify today because it is 
> not an npm dependency there—only the vendored file.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to