allowProtocolRelativeoption. No code changes from 1.14.0, released a few moments ago.
allowProtocolRelativeoption, which is set to
trueby default, allows you to decline to accept URLs that start with
//and thus point to a different host using the current protocol. If you do not want to permit this, set this option to
false. This is fully backwards compatible because the default behavior is to allow them. Thanks to Luke Bernard.
transformTagscan now add text to an element that initially had none. Thanks to Dushyant Singh.
🏗 option to build for browser-side use. Thanks to Michael Blum.
fixed crash when
__proto__is a tag name. Now using a safe check for the existence of properties in all cases. Thanks to Andrew Krasichkov.
🛠 Fixed XSS attack vector via
textareatags (when explicitly allowed). Decided that
style(due to its own XSS vectors) cannot realistically be afforded any XSS protection if allowed, unless we add a full CSS parser. Thanks again to Andrew Krasichkov.
htmlparser2version to address crashing bug in older version. Thanks to e-jigsaw.
🛠 fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman.
🛠 fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a
textareatag to be lost. Thanks to Stefano Sala, who contributed the missing test.
➕ added the
nonTextTagsoption, with tests.
📚 documentation cleanup. No code changes. Thanks to Rex Schrader.