Releases: cure53/DOMPurify
Releases · cure53/DOMPurify
DOMPurify 2.2.4
- Fixed a new MathML-based bypass submitted by PewGrand
- Fixed a new SVG-related bypass submitted by SecurityMB
- Updated NodeJS CI to Node 14.x and Node 15.x
- Cleaned up
_forceRemove
logic for better reliability
DOMPurify 2.2.3
- Fixed an mXSS issue reported by PewGrand
- Fixed a minor issue with the license header
- Fixed a problem with overly-eager CSS stripping
- Updated the README and removed an XSS warning
DOMPurify 2.2.2
- Fixed an mXSS bypass dropped on us publicly via #482
- Fixed an mXSS variation that was reported privately short after
- Added dialog to permitted elements list
- Fixed a small typo in the README
DOMPurify 2.2.0
- Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
- Changed
RETURN_DOM_IMPORT
default totrue
to address said possible XSS - Updated README to reflect the new change and inform about the risks of manually setting
RETURN_DOM_IMPORT
back tofalse
- Fixed the tests to properly address the new default
DOMPurify 2.1.1
- Removed some code targeting old Safari versions
- Removed some code targeting older MS Edge versions
- Re-added some code targeting older Chrome versions, thanks @terjanq
- Added new tests and removed unused SAFE_FOR_JQUERY test cases
- Added Node 14.x to existing test coverage
DOMPurify 2.1.0
- Fixed several possible mXSS patterns, thanks @hackvertor
- Removed the
SAFE_FOR_JQUERY
flag (we are safe by default now for jQuery) - Removed several now useless mXSS checks
- Updated the mXSS check for elements
- Updated test cases to cover new sanitization strategy
- Updated test website to use newer jQuery
- Updated array of tested browsers and removed legacy browsers
- Added "auto convert" checkbox to test website, thanks @hackvertor
DOMPurify 2.0.17
- Fixed another bypass causing mXSS by using MathML
DOMPurify 2.0.16
- Fixed an mXSS-based bypass caused by nested forms inside MathML
- Fixed a security error thrown on older Chrome on Android versions, see #470
Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇♂️ 🙇♀️
DOMPurify 2.0.15
- Added a renovated test suite, thanks @peernohell
- Fixed some minor linter warnings
DOMPurify 2.0.14
- Fixed a problem with the documentMode default value