OWASP vulnerabilities due to outdated dependency

[areyes05]

A scan using the OWASP dependency-check reveals that Cesium uses DOMPurify 1.0.8 which has several vulnerabilities that were patched on release 2.2.2.

• Fixed an mXSS-based bypass caused by nested forms inside MathML (RETIREJS)
• Fixed another bypass causing mXSS by using MathML
• Fixed several possible mXSS patterns, thanks @hackvertor (RETIREJS)

Could it be possible to update this dependency so that Cesium will not be vulnerable?

I also recommend adding a security policy on GitHub so that the contributors can get a chance to address this issues before making it public.

Thanks

AR

[mramato]

Thanks for reporting this @areyes05, I just opened #9241 with a fix. I will write up another issue to look into using dependency-check either in our release process or as part of CI (depending on how long it takes) and a third issue for adding a security policy.

Thanks again.

[areyes05]

I am impressed by how soon you tackled this and I am thrilled by Cesium adding the dependency-checker to the release process.

Great work!

[reliable-casey]

@mramato This new version of purify declares a source map here: 4d4892b#diff-1b4d88e996ee00af5f71adfe5aafd9188412f0990b0d1d90fa58c12c1477edd3R1159

However the source map is not included in the Cesium codebase, so I'm getting a 404 warning during development:

DevTools failed to load SourceMap: Could not load content for .../Cesium/Source/ThirdParty/purify.es.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

Is this something you want a new issue ticket for? Thanks!