Changelog History
Page 3
-
v2.0.2 Changes
September 23, 2019π Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.
π This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.
π Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.
-
v2.0.1 Changes
September 19, 2019- π Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
- β Added tests to cover implemented fixes
π± Credits go to MichaΕ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. π
-
v2.0.0 Changes
September 12, 2019Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.
- π Changed the default behavior for Trusted Types (See #361)
- β Added a new config flag to manually enable Trusted Types support
- β Added support for more attributes
- π Fixed a minor CSP warning
-
v1.0.11 Changes
June 18, 2019- π Fixed a minor problem with persistent config flags
- π Fixed a problem with extraneous HTML elements
- π Fixed some minor issues in README and Demo
- Expanded the array of permitted SVG properties
- Expanded the array of permitted HTML properties