Changelog History
Page 6
-
v1.17.0 Changes
๐ง The new
allowedIframeHostnames
option. If present, this must be an array, and only iframesrc
URLs hostnames (complete hostnames; domain name matches are not enough) that appear on this list are allowed. You must also configurehostname
as an allowed attribute foriframe
. Thanks to Ryan Verys for this contribution. -
v1.16.3 Changes
๐ป Don't throw away the browserified versions before publishing them.
prepare
is not a good place tomake clean
, it runs afterprepublish
. -
v1.16.2 Changes
โ
sanitize-html
is now compiled withbabel
. An npmprepublish
script takes care of this atnpm publish
time, so the latest code should always be compiled to operate all the way back to ES5 browsers and earlier versions of Node. Thanks to Ayushya Jaiswal.๐ Please note that running
sanitize-html
in the browser is usually a security hole. Are you trusting the browser? Anyone could bypass that using the network panel. Sanitization is almost always best done on servers and that is the primary use case for this module. -
v1.16.1 Changes
๐ changelog formatting only.
-
v1.16.0 Changes
๐ support for sanitizing inline CSS styles, by specifying the allowed attributes and a regular expression for each. Thanks to Cameron Will and Michael Loschiavo.
-
v1.15.0 Changes
๐ง if configured as an allowed attribute (not the default), check for naughty URLs in
srcset
attributes. Thanks to Mike Samuel for the nudge to do this and to Sindre Sorhus for thesrcset
module. -
v1.14.3 Changes
inadvertent removal of lodash regexp quote dependency in 1.14.2 has been corrected.
-
v1.14.2 Changes
๐ protocol-relative URL detection must spot URLs starting with
\\
rather than//
due to ages-old tolerance features of web browsers, intended for sleepy Windows developers. Thanks to Martin Bajanik. -
v1.14.1 Changes
๐ documented
allowProtocolRelative
option. No code changes from 1.14.0, released a few moments ago. -
v1.14.0 Changes
the new
allowProtocolRelative
option, which is set totrue
by default, allows you to decline to accept URLs that start with//
and thus point to a different host using the current protocol. If you do not want to permit this, set this option tofalse
. This is fully backwards compatible because the default behavior is to allow them. Thanks to Luke Bernard.