DOMPurify 2.4.7 and 3.0.8 vulnerabilities in Flare

[laurieschu]

Hi all,
The DOMPurify in Flare appears open to a security vulnerability, as described in: https://security.snyk.io/package/npm/dompurify/3.0.8.
Per this article, it should be updated to at least the 3.1.3 version, but ideally 3.2.4 or higher.
Do we know if there are plans to update this and if so how soon?
Many thanks!

[Psider]

You'll need to contact MadCap Support to see if you get that info.

I found an upgrade to DOMPurify 3.0.8 mentioned in the release notes for Flare 2024 under "Customer Reported Bugs". So contacting Support and getting a ticket raised is likely to bump it up their priorities, if it isn't already.

https://kb.madcapsoftware.com/knowledge ... _Notes.htm

[paul_collins]

I was informed by email from Madcap about a fix for this a couple of weeks ago:

One of the issues you reported to MadCap Software, issue 183780, has been addressed in a patch for MadCap Flare 2024 r2.
The issue was described in our development database as:
Vulnerability with DOMPurify version 3.0.8
The link to the patch is provided below:
https://ts.madcapsoftware.com/Downloads ... 183780.zip

We've applied the patch and everything seems fine.

Also, when we accessed it there was a typo in the path in the readme. It should say that you need to replace the purify.min.js file located in the following directory: C:\Program Files\MadCap Software\MadCap Flare 20\Flare.app\Resources\WebHelp2\Scripts

[laurieschu]

Hello all and thanks for the updates! We'll check out the patch!
Appreciate the speedy responses.
Thanks again!