All Versions
24
Latest Version
Avg Release Cycle
23 days
Latest Release
536 days ago

Changelog History
Page 3

  • v2.0.2 Changes

    September 23, 2019

    πŸš€ Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.

    πŸš€ This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.

    πŸš€ Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.

  • v2.0.1 Changes

    September 19, 2019
    • πŸ›  Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
    • βž• Added tests to cover implemented fixes

    🍱 Credits go to MichaΕ‚ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. πŸ™‡

  • v2.0.0 Changes

    September 12, 2019

    Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.

    • πŸ”„ Changed the default behavior for Trusted Types (See #361)
    • βž• Added a new config flag to manually enable Trusted Types support
    • βž• Added support for more attributes
    • πŸ›  Fixed a minor CSP warning
  • v1.0.11 Changes

    June 18, 2019
    • πŸ›  Fixed a minor problem with persistent config flags
    • πŸ›  Fixed a problem with extraneous HTML elements
    • πŸ›  Fixed some minor issues in README and Demo
    • Expanded the array of permitted SVG properties
    • Expanded the array of permitted HTML properties