iframeis an allowed tag by default, to better facilitate typical use cases and the use of the
- 📚 Documentation improvements.
- 💻 More browser packaging improvements.
- 👍 Protocol-relative URLs are properly supported for iframe tags.
- ✅ Travis tests passing.
- 🛠 Fixed another case issue — and instituted Travis CI testing so this doesn't happen again. Sorry for the hassle.
- 🐧 A file was required with incorrect case, breaking the library on case sensitive filesystems such as Linux. Fixed.
- 0️⃣ The new
allowedSchemesAppliedToAttributesoption. This determines which attributes are validated as URLs, replacing the old hardcoded list of
hrefonly. The default list now includes
cite. Thanks to ml-dublin for this contribution.
- 🔧 It is now easy to configure a specific list of allowed values for an attribute. When configuring
allowedAttributes, rather than listing an attribute name, simply list an object with an attribute
nameproperty and an allowed
valuesarray property. You can also add
multiple: trueto allow multiple space-separated allowed values in the attribute, otherwise the attribute must match one and only one of the allowed values. Thanks again to ml-dublin for this contribution.
- 🛠 Fixed a bug in the npm test procedure.
- 0️⃣ The new
🔧 The new
allowedIframeHostnamesoption. If present, this must be an array, and only iframe
srcURLs hostnames (complete hostnames; domain name matches are not enough) that appear on this list are allowed. You must also configure
hostnameas an allowed attribute for
iframe. Thanks to Ryan Verys for this contribution.
💻 Don't throw away the browserified versions before publishing them.
prepareis not a good place to
make clean, it runs after
sanitize-htmlis now compiled with
babel. An npm
prepublishscript takes care of this at
npm publishtime, so the latest code should always be compiled to operate all the way back to ES5 browsers and earlier versions of Node. Thanks to Ayushya Jaiswal.
🔒 Please note that running
sanitize-htmlin the browser is usually a security hole. Are you trusting the browser? Anyone could bypass that using the network panel. Sanitization is almost always best done on servers and that is the primary use case for this module.
🔄 changelog formatting only.
👌 support for sanitizing inline CSS styles, by specifying the allowed attributes and a regular expression for each. Thanks to Cameron Will and Michael Loschiavo.
🔧 if configured as an allowed attribute (not the default), check for naughty URLs in
srcsetattributes. Thanks to Mike Samuel for the nudge to do this and to Sindre Sorhus for the