Explore
By company size
By use case
By industry
View all solutions
Topics
- AI
- DevOps
- Security
- Software Development
- View all
Explore
- GitHub Sponsors
  Fund open source developers
- The ReadME Project
  GitHub community articles
Repositories
- Enterprise platform
  AI-powered developer platform
Available add-ons
Pricing

Search code, repositories, users, issues, pull requests...

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

cure53 / DOMPurify Public

Notifications You must be signed in to change notification settings
Fork 765
Star 14.8k

Code
Issues
Pull requests 1
Actions
Projects
Wiki
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights

Releases: cure53/DOMPurify

Releases Tags

Releases · cure53/DOMPurify

DOMPurify 2.2.4

15 Dec 16:36

cure53

2.2.4

499b3bb

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.2.4

Fixed a new MathML-based bypass submitted by PewGrand
Fixed a new SVG-related bypass submitted by SecurityMB
Updated NodeJS CI to Node 14.x and Node 15.x
Cleaned up _forceRemove logic for better reliability

Assets 2

All reactions

DOMPurify 2.2.3

07 Dec 13:25

cure53

2.2.3

e7086f7

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.2.3

Fixed an mXSS issue reported by PewGrand
Fixed a minor issue with the license header
Fixed a problem with overly-eager CSS stripping
Updated the README and removed an XSS warning

Assets 2

All reactions

DOMPurify 2.2.2

02 Nov 20:04

cure53

2.2.2

7923e10

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.2.2

Fixed an mXSS bypass dropped on us publicly via #482
Fixed an mXSS variation that was reported privately short after
Added dialog to permitted elements list
Fixed a small typo in the README

Assets 2

All reactions

DOMPurify 2.2.0

21 Oct 07:30

cure53

2.2.0

0e31dce

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.2.0

Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
Changed RETURN_DOM_IMPORT default to true to address said possible XSS
Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
Fixed the tests to properly address the new default

Assets 2

All reactions

DOMPurify 2.1.1

25 Sep 11:47

cure53

2.1.1

32b3241

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.1.1

Removed some code targeting old Safari versions
Removed some code targeting older MS Edge versions
Re-added some code targeting older Chrome versions, thanks @terjanq
Added new tests and removed unused SAFE_FOR_JQUERY test cases
Added Node 14.x to existing test coverage

Assets 2

All reactions

DOMPurify 2.1.0

23 Sep 08:42

cure53

2.1.0

1f1c119

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.1.0

Fixed several possible mXSS patterns, thanks @hackvertor
Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
Removed several now useless mXSS checks
Updated the mXSS check for elements
Updated test cases to cover new sanitization strategy
Updated test website to use newer jQuery
Updated array of tested browsers and removed legacy browsers
Added "auto convert" checkbox to test website, thanks @hackvertor

Assets 2

All reactions

DOMPurify 2.0.17

20 Sep 08:47

cure53

2.0.17

f04574b

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 43A94EA3B4323240

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.0.17

Fixed another bypass causing mXSS by using MathML

Assets 2

All reactions

DOMPurify 2.0.16

18 Sep 12:30

cure53

2.0.16

63061bf

This commit was signed with the committer’s verified signature.

cure53 Cure53

GPG key ID: 5F0CDACD24BB6BF4

Verified

Learn about vigilant mode.

Compare

Choose a tag to compare

View all tags

DOMPurify 2.0.16

Fixed an mXSS-based bypass caused by nested forms inside MathML
Fixed a security error thrown on older Chrome on Android versions, see #470

Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

Assets 2