🚀 Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.
🚀 This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.
🚀 Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.
- 🛠 Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
- ➕ Added tests to cover implemented fixes
🍱 Credits go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. 🙇
Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.
- 🔄 Changed the default behavior for Trusted Types (See #361)
- ➕ Added a new config flag to manually enable Trusted Types support
- ➕ Added support for more attributes
- 🛠 Fixed a minor CSP warning
- 🛠 Fixed a minor problem with persistent config flags
- 🛠 Fixed a problem with extraneous HTML elements
- 🛠 Fixed some minor issues in README and Demo
- Expanded the array of permitted SVG properties
- Expanded the array of permitted HTML properties