All Versions
Latest Version
Avg Release Cycle
23 days
Latest Release
1020 days ago

Changelog History
Page 2

  • v2.0.12 Changes

    June 24, 2020
    • πŸ›  Fixed a minor bug when working with Trusted Types
    • πŸ›  Fixed some typos in a demo file
    • πŸ›  Fixed some wordings in code and docs
  • v2.0.11 Changes

    May 06, 2020
    • πŸ›  Fixed faulty behavior for non breaking space characters
    • Added ADD_DATA_URI_TAGS directive to allow customizing Data URI tag behavior
  • v2.0.10 Changes

    April 23, 2020
    • πŸ›  Fixed a dependency problem causing builds to break
    • πŸ›  Fixed a test in Chrome 83 covering Trusted Types
  • v2.0.9 Changes

    April 22, 2020
    • βœ‚ Removed a meanwhile useless parser check
    • βž• Added countless new attributes to whitelist
    • βž• Added whole new build and system
    • βž• Added license tag to compressed files
    • ⚑️ Updated README for more clarity
  • v2.0.8 Changes

    February 03, 2020
    • Fixed a bypass that can be abused in case SAFE_FOR_JQUERY is used with jQuery 3.x, thanks @masatokinugawa πŸ™‡β€β™€
    • βž• Added new elements to whitelist, thanks @chris-morgan
    • βž• Added first layer of prototype poisoning protection, thanks @dejang
    • βž• Added better controls for uponSanitizeAttribute, thanks @devinrhode2
    • βž• Added demo for node removal, thanks @mikesnare
  • v2.0.7 Changes

    October 21, 2019
    • πŸ›  Fixed several mXSS vectors spotted , thanks @masatokinugawa πŸ™‡
    • πŸ›  Fixed a minor crash affecting MSIE11, see #372
    • πŸ›  Fixed some typos and adjusted the README
  • v2.0.6 Changes

    October 10, 2019
    • ✨ Enhanced the checks for SVG-/MathML-based mXSS
    • βœ‚ Removed several obtrusive checks and guards that are not needed any longer
    • βž• Added better test coverage
    • βž• Added better handling of situations where element removal causes mXSS
    • βž• Added better handling of content type switches causing mXSS
  • v2.0.5 Changes

    October 08, 2019
    • πŸ›  Fixed a logical issue causing overly aggressive SVG removal spotted by @thorn0
  • v2.0.4 Changes

    October 07, 2019

    πŸš€ Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.

    The fixes were reviewed and no new bypasses could be spotted at the moment.
    🍱 Thanks, @masatokinugawa πŸ™‡ πŸ™‡β€β™€!

    The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.

    πŸš€ Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.

  • v2.0.3 Changes

    September 25, 2019
    • πŸ›  Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
    • πŸ›  Fixed a bug in the config parser leading to unexpected results

    🍱 Credits for the bypass again go to MichaΕ‚ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix πŸ™‡ πŸ™‡β€β™€