Skip to content

Releases: cure53/DOMPurify

DOMPurify 0.8.3

18 Aug 15:00
Compare
Choose a tag to compare
  • Reduced the NPM package footprint

DOMPurify 0.8.2

09 Jun 16:14
d9c3bef
Compare
Choose a tag to compare
  • Fixed a bug with the handling of binary attributes
  • Added more test cases

DOMPurify 0.8.1

06 Jun 11:34
Compare
Choose a tag to compare
  • Fixed a security bug when ALLOW_UNKNOWN_PROTOCOLS is true (not the default) reported and addressed by @neilj
  • Added more tests to cover the security fix
  • Added more browsers to BrowserStack test-array
  • Fixed some minor issue with DOM element removal log

DOMPurify 0.8.0

24 May 13:30
7aa9772
Compare
Choose a tag to compare
  • Added DOMPurify.removed to allow analyzing what elements and attributes were removed
  • Added much better compatibility with SVG images, filters and other SVG elements
  • Enhanced support for Data URIs
  • Enhanced support for Node.js and jsdom
  • Enhanced tests and reduced useless output
  • Added automated tests for Node.js and jsdom support
  • Added more browsers to automated tests (Edge 13, Chrome 50, Firefox 46)
  • Updated documentation and credits
  • Fixed smaller glitches on MSIE10
  • Fixed an issue with Shadow DOM on mobile Chrome

DOMPurify 0.7.4

17 Feb 13:55
Compare
Choose a tag to compare
  • Moved handling of URI-attributes from black-list to white-list
  • Optimized the code
  • Optimized regular expressions in use
  • Made all data-* attributes become URI-safe
  • Fixed a security bug in SAFE_FOR_TEMPLATING mode, spotted by @filedescriptor

DOMPurify 0.7.3

26 Nov 11:52
Compare
Choose a tag to compare
  • Better fall-back handling for IE8 and IE9
  • Better compatibility with SVG filters and filter elements

DOMPurify 0.7.2

19 Oct 10:45
Compare
Choose a tag to compare
  • Fixed a crash in Safari 9
  • Added SAFE_FOR_TEMPLATES flag to aggressively scrub template delimiters and content
  • Added better test coverage
  • Added CI coverage for MS Edge
  • Fixed fall-back behaviour for IE6-IE8
  • Enhanced and updated the documentation

DOMPurify 0.7.1

02 Oct 09:32
Compare
Choose a tag to compare
  • Added better test coverage
  • Added tests for document.write() behavior
  • Added better SVG compatibility
  • Changed the CI log outout
  • Added better local testing capabilities

DOMPurify 0.7.0

23 Sep 07:00
Compare
Choose a tag to compare
  • Added better compatibility for older browsers
  • Added better test coverage
  • Added /dist folder with a tested compressed DOMPurify version
  • Optimized internal document creation process
  • Optimized browser tests, now covering eight browsers
  • Optimized code style
  • Updated wiki pages and readmes

DOMPurify 0.6.7

17 Sep 13:00
Compare
Choose a tag to compare
  • Security Release Please update!
  • Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
  • Replaced document.implementation by DOMParser.parseFromString()
  • Changed location of purify.js from / to /src
  • Extended the range of tested browsers on BrowserStack

Details about the Security Issue

Problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631

Attack Scenario:
The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.

The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:

<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>


<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>

Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.

This change is expected to be non-breaking, no API changes or other side-effects are expected.

Thanks @mozfreddyb for assisting with this fix.