All Versions
Latest Version
Avg Release Cycle
23 days
Latest Release
1284 days ago

Changelog History
Page 1

  • v2.2.3 Changes

    December 07, 2020
    • πŸ›  Fixed an mXSS issue reported by PewGrand
    • πŸ›  Fixed a minor issue with the license header
    • πŸ›  Fixed a problem with overly-eager CSS stripping
    • ⚑️ Updated the README and removed an XSS warning
  • v2.2.2 Changes

    November 02, 2020
    • πŸ›  Fixed an mXSS bypass dropped on us publicly via #482
    • πŸ›  Fixed an mXSS variation that was reported privately short after
    • βž• Added dialog to permitted elements list
    • πŸ›  Fixed a small typo in the README
  • v2.2.0 Changes

    October 21, 2020
    • 🌐 Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
    • Changed RETURN_DOM_IMPORT default to true to address said possible XSS
    • Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
    • πŸ›  Fixed the tests to properly address the new default
  • v2.1.1 Changes

    September 25, 2020
    • βœ‚ Removed some code targeting old Safari versions
    • βœ‚ Removed some code targeting older MS Edge versions
    • Re-added some code targeting older Chrome versions, thanks @terjanq
    • Added new tests and removed unused SAFE_FOR_JQUERY test cases
    • βž• Added Node 14.x to existing test coverage
  • v2.1.0 Changes

    September 23, 2020
    • πŸ›  Fixed several possible mXSS patterns, thanks @hackvertor
    • Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
    • βœ‚ Removed several now useless mXSS checks
    • ⚑️ Updated the mXSS check for elements
    • ⚑️ Updated test cases to cover new sanitization strategy
    • ⚑️ Updated test website to use newer jQuery
    • ⚑️ Updated array of tested browsers and removed legacy browsers
    • βž• Added "auto convert" checkbox to test website, thanks @hackvertor
  • v2.0.17 Changes

    September 20, 2020
    • πŸ›  Fixed another bypass causing mXSS by using MathML
  • v2.0.16 Changes

    September 18, 2020
    • πŸ›  Fixed an mXSS-based bypass caused by nested forms inside MathML
    • πŸ›  Fixed a security error thrown on older Chrome on Android versions, see #470

    🍱 Credits for the bypass go to MichaΕ‚ Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix πŸ™‡β€β™‚οΈ πŸ™‡β€β™€οΈ

  • v2.0.15 Changes

    September 03, 2020
    • βž• Added a renovated test suite, thanks @peernohell
    • πŸ›  Fixed some minor linter warnings
  • v2.0.14 Changes

    August 27, 2020
    • πŸ›  Fixed a problem with the documentMode default value
  • v2.0.13

    August 27, 2020