All Versions
24
Latest Version
Avg Release Cycle
23 days
Latest Release
1235 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v2.2.3 Changes
December 07, 2020- π Fixed an mXSS issue reported by PewGrand
- π Fixed a minor issue with the license header
- π Fixed a problem with overly-eager CSS stripping
- β‘οΈ Updated the README and removed an XSS warning
-
v2.2.2 Changes
November 02, 2020- π Fixed an mXSS bypass dropped on us publicly via #482
- π Fixed an mXSS variation that was reported privately short after
- β Added dialog to permitted elements list
- π Fixed a small typo in the README
-
v2.2.0 Changes
October 21, 2020- π Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
- Changed
RETURN_DOM_IMPORTdefault totrueto address said possible XSS - Updated README to reflect the new change and inform about the risks of manually setting
RETURN_DOM_IMPORTback tofalse - π Fixed the tests to properly address the new default
-
v2.1.1 Changes
September 25, 2020- β Removed some code targeting old Safari versions
- β Removed some code targeting older MS Edge versions
- Re-added some code targeting older Chrome versions, thanks @terjanq
- Added new tests and removed unused SAFE_FOR_JQUERY test cases
- β Added Node 14.x to existing test coverage
-
v2.1.0 Changes
September 23, 2020- π Fixed several possible mXSS patterns, thanks @hackvertor
- Removed the
SAFE_FOR_JQUERYflag (we are safe by default now for jQuery) - β Removed several now useless mXSS checks
- β‘οΈ Updated the mXSS check for elements
- β‘οΈ Updated test cases to cover new sanitization strategy
- β‘οΈ Updated test website to use newer jQuery
- β‘οΈ Updated array of tested browsers and removed legacy browsers
- β Added "auto convert" checkbox to test website, thanks @hackvertor
-
v2.0.17 Changes
September 20, 2020- π Fixed another bypass causing mXSS by using MathML
-
v2.0.16 Changes
September 18, 2020- π Fixed an mXSS-based bypass caused by nested forms inside MathML
- π Fixed a security error thrown on older Chrome on Android versions, see #470
π± Credits for the bypass go to MichaΕ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix πββοΈ πββοΈ
-
v2.0.15 Changes
September 03, 2020- β Added a renovated test suite, thanks @peernohell
- π Fixed some minor linter warnings
-
v2.0.14 Changes
August 27, 2020- π Fixed a problem with the documentMode default value
-
v2.0.13
August 27, 2020