Skip to content

Releases: cure53/DOMPurify

DOMPurify 2.5.4

20 May 11:08
10c1261
Compare
Choose a tag to compare
  • Fixed a bug with latest isNaN checks affecting MSIE, thanks @tulach
  • Fixed the tests for MSIE and fixed related test-runner

DOMPurify 3.1.3

11 May 12:00
3fe78d7
Compare
Choose a tag to compare
  • Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
  • Added better handling and readability of the nodeType property, thanks @ssi02014
  • Fixed some smaller issues in README and other documentation

DOMPurify 2.5.3

11 May 10:21
Compare
Choose a tag to compare
  • Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
  • Fixed some smaller issues in README and other documentation

DOMPurify 3.1.2

30 Apr 08:28
5b2e317
Compare
Choose a tag to compare
  • Addressed and fixed a mXSS variation found by @kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

DOMPurify 2.5.2

30 Apr 08:26
d299fcc
Compare
Choose a tag to compare
  • Addressed and fixed a mXSS variation found by @kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

DOMPurify 3.1.1

26 Apr 11:14
7a0a984
Compare
Choose a tag to compare
  • Fixed an mXSS sanitiser bypass reported by @icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 2.5.1

26 Apr 11:11
f275c0b
Compare
Choose a tag to compare
  • Fixed an mXSS sanitizer bypass reported by @icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 3.1.0

07 Apr 14:10
db19269
Compare
Choose a tag to compare
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

DOMPurify 2.5.0

07 Apr 14:08
7f6cf8a
Compare
Choose a tag to compare
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

DOMPurify 3.0.11

21 Mar 11:21
a9fd4ae
Compare
Choose a tag to compare
  • Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T