All Versions
24
Latest Version
Avg Release Cycle
23 days
Latest Release
1020 days ago
Changelog History
Page 2
Changelog History
Page 2
-
v2.0.12 Changes
June 24, 2020- π Fixed a minor bug when working with Trusted Types
- π Fixed some typos in a demo file
- π Fixed some wordings in code and docs
-
v2.0.11 Changes
May 06, 2020- π Fixed faulty behavior for non breaking space characters
- Added
ADD_DATA_URI_TAGS
directive to allow customizing Data URI tag behavior
-
v2.0.10 Changes
April 23, 2020- π Fixed a dependency problem causing builds to break
- π Fixed a test in Chrome 83 covering Trusted Types
-
v2.0.9 Changes
April 22, 2020- β Removed a meanwhile useless parser check
- β Added countless new attributes to whitelist
- β Added whole new build and system
- β Added license tag to compressed files
- β‘οΈ Updated README for more clarity
-
v2.0.8 Changes
February 03, 2020- Fixed a bypass that can be abused in case
SAFE_FOR_JQUERY
is used with jQuery 3.x, thanks @masatokinugawa πββ - β Added new elements to whitelist, thanks @chris-morgan
- β Added first layer of prototype poisoning protection, thanks @dejang
- β Added better controls for
uponSanitizeAttribute
, thanks @devinrhode2 - β Added demo for node removal, thanks @mikesnare
- Fixed a bypass that can be abused in case
-
v2.0.7 Changes
October 21, 2019- π Fixed several mXSS vectors spotted , thanks @masatokinugawa π
- π Fixed a minor crash affecting MSIE11, see #372
- π Fixed some typos and adjusted the README
-
v2.0.6 Changes
October 10, 2019- β¨ Enhanced the checks for SVG-/MathML-based mXSS
- β Removed several obtrusive checks and guards that are not needed any longer
- β Added better test coverage
- β Added better handling of situations where element removal causes mXSS
- β Added better handling of content type switches causing mXSS
-
v2.0.5 Changes
October 08, 2019- π Fixed a logical issue causing overly aggressive SVG removal spotted by @thorn0
-
v2.0.4 Changes
October 07, 2019π Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.
The fixes were reviewed and no new bypasses could be spotted at the moment.
π± Thanks, @masatokinugawa π πββ!The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.
π Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.
-
v2.0.3 Changes
September 25, 2019- π Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
- π Fixed a bug in the config parser leading to unexpected results
π± Credits for the bypass again go to MichaΕ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix π πββ