fix(security): sanitize notification HTML to prevent XSS.

[srijan2607]

This pull request updates dependencies and enhances security in the notifications component. The most significant change is the introduction of the dompurify library to sanitize HTML content in notifications, which helps prevent XSS attacks. Additionally, several dependency versions are updated in the lockfile.

Security Improvements:

• The NotificationsList component now sanitizes notification bodies using DOMPurify before rendering HTML, reducing the risk of cross-site scripting (XSS) vulnerabilities. [1] [2]

Dependency Updates:

• Added dompurify as a production dependency in both package.json and package-lock.json. [1] [2] [3] [4]
• Updated @types/trusted-types to version 2.0.7 in package-lock.json for compatibility with dompurify. [1] [2]
• Moved http-proxy-middleware from devDependencies to dependencies in package-lock.json. [1] [2]

---

Description

This PR fixes a Cross-Site Scripting (XSS) vulnerability in the notifications display component. The NotificationsList.jsx component was using dangerouslySetInnerHTML to render notification bodies as raw HTML without any client-side sanitization.

Vulnerability: Malicious scripts (e.g., <script>alert('XSS')</script> or <img src="x" onerror="...">) could execute in the user's browser, potentially allowing attackers to steal session tokens, perform actions on behalf of users, or redirect to malicious sites.

Fix: Added DOMPurify library to sanitize HTML content before rendering, stripping dangerous scripts and event handlers while preserving safe HTML tags.

Changes:

• Added dompurify dependency to package.json
• Import DOMPurify in NotificationsList.jsx
• Wrap notif?.body with DOMPurify.sanitize() before rendering

Type of change

• Bug fix (non-breaking change which fixes an issue).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • N/A - This is a security fix, not a plugin change
• I have inserted the copyright banner at the start of the file: N/A - Modified existing file
• Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for.
  • Note: dompurify is the industry-standard library for HTML sanitization in JavaScript. It is strictly necessary to properly fix this XSS vulnerability.
• If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
  • Note: DOMPurify uses Apache-2.0 or MPL-2.0 license (permissive, compatible with IntelOwl's license)
• Linters (Black, Flake, Isort) gave 0 errors. ESLint passed with no errors.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Security Impact

Aspect	Before	After
XSS Protection	None	Full sanitization via DOMPurify
Safe HTML Tags	N/A	<b>, <i>, <a>, <p>, etc. preserved
Script Tags	Executed	Stripped
Event Handlers	Executed	Stripped

Files Changed

File	Change
frontend/package.json	Added dompurify: ^3.3.1
frontend/package-lock.json	Updated lock file
frontend/src/components/jobs/notification/NotificationsList.jsx	Import + sanitize HTML

---

Related issue : #3123

[srijan2607]

@fgibertoni can you take a look

[srijan2607]

@drosetti can you take a look