All Versions
102
Latest Version
Avg Release Cycle
38 days
Latest Release
540 days ago

Changelog History
Page 6

  • v1.17.0 Changes

    ๐Ÿ”ง The new allowedIframeHostnames option. If present, this must be an array, and only iframe src URLs hostnames (complete hostnames; domain name matches are not enough) that appear on this list are allowed. You must also configure hostname as an allowed attribute for iframe. Thanks to Ryan Verys for this contribution.

  • v1.16.3 Changes

    ๐Ÿ’ป Don't throw away the browserified versions before publishing them. prepare is not a good place to make clean, it runs after prepublish.

  • v1.16.2 Changes

    โœ… sanitize-html is now compiled with babel. An npm prepublish script takes care of this at npm publish time, so the latest code should always be compiled to operate all the way back to ES5 browsers and earlier versions of Node. Thanks to Ayushya Jaiswal.

    ๐Ÿ”’ Please note that running sanitize-html in the browser is usually a security hole. Are you trusting the browser? Anyone could bypass that using the network panel. Sanitization is almost always best done on servers and that is the primary use case for this module.

  • v1.16.1 Changes

    ๐Ÿ”„ changelog formatting only.

  • v1.16.0 Changes

    ๐Ÿ‘Œ support for sanitizing inline CSS styles, by specifying the allowed attributes and a regular expression for each. Thanks to Cameron Will and Michael Loschiavo.

  • v1.15.0 Changes

    ๐Ÿ”ง if configured as an allowed attribute (not the default), check for naughty URLs in srcset attributes. Thanks to Mike Samuel for the nudge to do this and to Sindre Sorhus for the srcset module.

  • v1.14.3 Changes

    inadvertent removal of lodash regexp quote dependency in 1.14.2 has been corrected.

  • v1.14.2 Changes

    ๐Ÿ protocol-relative URL detection must spot URLs starting with \\ rather than // due to ages-old tolerance features of web browsers, intended for sleepy Windows developers. Thanks to Martin Bajanik.

  • v1.14.1 Changes

    ๐Ÿš€ documented allowProtocolRelative option. No code changes from 1.14.0, released a few moments ago.

  • v1.14.0 Changes

    the new allowProtocolRelative option, which is set to true by default, allows you to decline to accept URLs that start with // and thus point to a different host using the current protocol. If you do not want to permit this, set this option to false. This is fully backwards compatible because the default behavior is to allow them. Thanks to Luke Bernard.