Releases: cure53/DOMPurify
Releases · cure53/DOMPurify
DOMPurify 2.5.4
- Fixed a bug with latest
isNaN
checks affecting MSIE, thanks @tulach - Fixed the tests for MSIE and fixed related test-runner
DOMPurify 3.1.3
- Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
- Added better configurability for comment scrubbing default behavior
- Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
- Added better handling and readability of the
nodeType
property, thanks @ssi02014 - Fixed some smaller issues in README and other documentation
DOMPurify 2.5.3
- Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
- Added better configurability for comment scrubbing default behavior
- Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
- Fixed some smaller issues in README and other documentation
DOMPurify 3.1.2
- Addressed and fixed a mXSS variation found by @kevin-mizu
- Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
- Updated tests for older Safari and Chrome versions
DOMPurify 2.5.2
- Addressed and fixed a mXSS variation found by @kevin-mizu
- Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
- Updated tests for older Safari and Chrome versions
DOMPurify 3.1.1
- Fixed an mXSS sanitiser bypass reported by @icesfont
- Added new code to track element nesting depth
- Added new code to enforce a maximum nesting depth of 255
- Added coverage tests and necessary clobbering protections
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
DOMPurify 2.5.1
- Fixed an mXSS sanitizer bypass reported by @icesfont
- Added new code to track element nesting depth
- Added new code to enforce a maximum nesting depth of 255
- Added coverage tests and necessary clobbering protections
Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.
DOMPurify 3.1.0
- Added new setting
SAFE_FOR_XML
to enable better control over comment scrubbing - Updated README to warn about happy-dom not being safe for use with DOMPurify yet
- Updated the LICENSE file to show the accurate year number
- Updated several build and test dependencies
DOMPurify 2.5.0
- Added new setting
SAFE_FOR_XML
to enable better control over comment scrubbing - Updated the LICENSE file to show the accurate year number
- Updated several build and test dependencies
DOMPurify 3.0.11
- Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
- Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T