Skip to content

Releases: cure53/DOMPurify

DOMPurify 2.2.4

15 Dec 16:36
499b3bb
Compare
Choose a tag to compare
  • Fixed a new MathML-based bypass submitted by PewGrand
  • Fixed a new SVG-related bypass submitted by SecurityMB
  • Updated NodeJS CI to Node 14.x and Node 15.x
  • Cleaned up _forceRemove logic for better reliability

DOMPurify 2.2.3

07 Dec 13:25
e7086f7
Compare
Choose a tag to compare
  • Fixed an mXSS issue reported by PewGrand
  • Fixed a minor issue with the license header
  • Fixed a problem with overly-eager CSS stripping
  • Updated the README and removed an XSS warning

DOMPurify 2.2.2

02 Nov 20:04
7923e10
Compare
Choose a tag to compare
  • Fixed an mXSS bypass dropped on us publicly via #482
  • Fixed an mXSS variation that was reported privately short after
  • Added dialog to permitted elements list
  • Fixed a small typo in the README

DOMPurify 2.2.0

21 Oct 07:30
0e31dce
Compare
Choose a tag to compare
  • Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
  • Changed RETURN_DOM_IMPORT default to true to address said possible XSS
  • Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
  • Fixed the tests to properly address the new default

DOMPurify 2.1.1

25 Sep 11:47
32b3241
Compare
Choose a tag to compare
  • Removed some code targeting old Safari versions
  • Removed some code targeting older MS Edge versions
  • Re-added some code targeting older Chrome versions, thanks @terjanq
  • Added new tests and removed unused SAFE_FOR_JQUERY test cases
  • Added Node 14.x to existing test coverage

DOMPurify 2.1.0

23 Sep 08:42
1f1c119
Compare
Choose a tag to compare
  • Fixed several possible mXSS patterns, thanks @hackvertor
  • Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
  • Removed several now useless mXSS checks
  • Updated the mXSS check for elements
  • Updated test cases to cover new sanitization strategy
  • Updated test website to use newer jQuery
  • Updated array of tested browsers and removed legacy browsers
  • Added "auto convert" checkbox to test website, thanks @hackvertor

DOMPurify 2.0.17

20 Sep 08:47
f04574b
Compare
Choose a tag to compare
  • Fixed another bypass causing mXSS by using MathML

DOMPurify 2.0.16

18 Sep 12:30
63061bf
Compare
Choose a tag to compare
  • Fixed an mXSS-based bypass caused by nested forms inside MathML
  • Fixed a security error thrown on older Chrome on Android versions, see #470

Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️

DOMPurify 2.0.15

03 Sep 10:10
c025bc8
Compare
Choose a tag to compare
  • Added a renovated test suite, thanks @peernohell
  • Fixed some minor linter warnings

DOMPurify 2.0.14

27 Aug 21:02
77a7fe7
Compare
Choose a tag to compare
  • Fixed a problem with the documentMode default value