Update dependency sanitize-html to v1.11.2

[dev-mend-for-github.aaakk.us.kg]

This PR contains the following updates:

Package	Type	Update	Change
sanitize-html	dependencies	minor	1.4.2 -> 1.11.2

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
Critical	9.1	CVE-2019-10744
High	7.4	CVE-2020-8203
Medium	6.5	CVE-2018-3721
Medium	6.5	CVE-2019-1010266
Medium	6.1	CVE-2016-1000237
Medium	6.1	CVE-2017-16016
Medium	5.6	CVE-2018-16487
Medium	5.3	CVE-2020-28500

---

Release Notes

apostrophecms/sanitize-html (sanitize-html)

v1.11.2

Compare Source

fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman.

v1.11.1

Compare Source

fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a textarea tag to be lost. Thanks to Stefano Sala, who contributed the missing test.

v1.11.0

Compare Source

added the nonTextTags option, with tests.

v1.10.1

Compare Source

documentation cleanup. No code changes. Thanks to Rex Schrader.

v1.10.0

Compare Source

allowedAttributes now allows you to allow attributes for all tags by specifying * as the tag name. Thanks to Zdravko Georgiev.

v1.9.0

Compare Source

parser option allows options to be passed directly to htmlparser. Thanks to Danny Scott.

v1.8.0

Compare Source

• transformTags now accepts the * wildcard to transform all tags. Thanks to Jamy Timmermans.

• Text that has been modified by transformTags is then passed through textFilter. Thanks to Pavlo Yurichuk.

• Content inside textarea is discarded if textarea is not allowed. I don't know why it took me this long to see that this is just common sense. Thanks to David Frank.

v1.7.2

Compare Source

removed array-includes dependency in favor of indexOf, which is a little more verbose but slightly faster and doesn't require a shim. Thanks again to Joseph Dykstra.

v1.7.1

Compare Source

removed lodash dependency, adding lighter dependencies and polyfills in its place. Thanks to Joseph Dykstra.

v1.7.0

Compare Source

introduced allowedSchemesByTag option. Thanks to Cameron Will.

v1.6.1

Compare Source

the string 'undefined' (as opposed to undefined) is perfectly valid text and shouldn't be expressly converted to the empty string.

v1.6.0

Compare Source

added textFilter option. Thanks to Csaba Palfi.

v1.5.3

Compare Source

do not escape special characters inside a script or style element, if they are allowed. This is consistent with the way browsers parse them; nothing closes them except the appropriate closing tag for the entire element. Of course, this only comes into play if you actually choose to allow those tags. Thanks to aletorrado.

v1.5.2

Compare Source

guard checks for allowed attributes correctly to avoid an undefined property error. Thanks to Zeke.

v1.5.1

Compare Source

updated to htmlparser2 1.8.x. Started using the decodeEntities option, which allows us to pass our filter evasion tests without the need to recursively invoke the filter.

v1.5.0

Compare Source

support for * wildcards in allowedAttributes. With tests. Thanks to Calvin Montgomery.

v1.4.3

invokes itself recursively until the markup stops changing to guard against this issue. Bump to htmlparser2 version 3.7.x.

---

• If you want to rebase/retry this PR, check this box