chore(deps): bump sanitize-html and @types/sanitize-html

[dependabot]

Bumps sanitize-html and @types/sanitize-html. These dependencies needed to be updated together.
Updates sanitize-html from 2.11.0 to 2.17.3

Changelog

Sourced from sanitize-html's changelog.

2.17.3 (2026-04-15)

Security

• Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

2.17.2 (2026-03-19)

Changes

• Upgrade htmlparser2 from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., &[#0000001](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/0000001)) that previously bypassed javascript: URL detection. Also fixes double-encoding of entities inside raw text elements like textarea and option.

2.17.1 (2026-02-18)

Fixes

• Fix unclosed tags (e.g., <hello) returning empty string in escape and recursiveEscape modes. Fixes #706. Thanks to Byeong Hyeon for the fix.

2.17.0 (2025-05-14)

• Add preserveEscapedAttributes, allowing attributes on escaped disallowed tags to be retained. Thanks to Ben Elliot for this new option.

2.16.0 (2025-04-16)

• Add onOpenTag and onCloseTag events to enable advanced filtering to hook into the parser. Thanks to Rimvydas Naktinis.

2.15.0 (2025-03-19)

• Allow keeping tag content when discarding with exclusive filter by returning "excludeTag". Thanks to rChaoz.

2.14.0 (2024-12-18)

• Fix adding text with transformTags in cases where it originally had no text child elements. Thanks to f0x.

2.13.1 (2024-10-03)

• Fix to allow regex in allowedClasses wildcard whitelist. Thanks to anak-dev.

2.13.0 (2024-03-20)

• Documentation update regarding minimum supported TypeScript version.

• Added disallowedTagsMode: completelyDiscard option to remove the content also in HTML. Thanks to Gauav Kumar for this addition.

2.12.1 (2024-02-22)

• Do not parse sourcemaps in post-css. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the style attribute is allowed by the configuration. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

2.12.0 (2024-02-21)

... (truncated)

Commits

• 96cf174 For release only (#5381)
• 7ca2d16 Merge commit from fork
• 297a422 Bump dependencies (#5376)
• 7e607c9 Changelog reconciliation for release (#5359)
• 49d0bb7 Port/sanitize html community contrib (#5337)
• a9ca4ef For release only (#5328)
• bbf3359 Port sanitize html standalone pr (#5323)
• f5f266c Adds changeset (#5209)
• c9aba85 PRO-8756: monorepo workflows (#5179)
• 107bcd2 Pro 8756 monorepo switch (#5177)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by bodonkey, a new releaser for sanitize-html since your current version.

Updates @types/sanitize-html from 2.9.0 to 2.16.1

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)