Skip to content

Releases: cure53/DOMPurify

DOMPurify 0.8.1

06 Jun 11:34
@cure53 cure53
0.8.1
e1980de
Compare
Choose a tag to compare
DOMPurify 0.8.1
  • Fixed a security bug when ALLOW_UNKNOWN_PROTOCOLS is true (not the default) reported and addressed by @neilj
  • Added more tests to cover the security fix
  • Added more browsers to BrowserStack test-array
  • Fixed some minor issue with DOM element removal log
Assets 2
Loading

DOMPurify 0.8.0

24 May 13:30
@cure53 cure53
0.8.0
7aa9772
This commit was signed with the committer’s verified signature.
cure53 Cure53
GPG key ID: 5F0CDACD24BB6BF4
Learn about vigilant mode.
Compare
Choose a tag to compare
DOMPurify 0.8.0
  • Added DOMPurify.removed to allow analyzing what elements and attributes were removed
  • Added much better compatibility with SVG images, filters and other SVG elements
  • Enhanced support for Data URIs
  • Enhanced support for Node.js and jsdom
  • Enhanced tests and reduced useless output
  • Added automated tests for Node.js and jsdom support
  • Added more browsers to automated tests (Edge 13, Chrome 50, Firefox 46)
  • Updated documentation and credits
  • Fixed smaller glitches on MSIE10
  • Fixed an issue with Shadow DOM on mobile Chrome
Assets 2
Loading

DOMPurify 0.7.4

17 Feb 13:55
@cure53 cure53
0.7.4
75e1088
Compare
Choose a tag to compare
DOMPurify 0.7.4
  • Moved handling of URI-attributes from black-list to white-list
  • Optimized the code
  • Optimized regular expressions in use
  • Made all data-* attributes become URI-safe
  • Fixed a security bug in SAFE_FOR_TEMPLATING mode, spotted by @filedescriptor
Assets 2
Loading

DOMPurify 0.7.3

26 Nov 11:52
@cure53 cure53
0.7.3
eb37356
Compare
Choose a tag to compare
DOMPurify 0.7.3
  • Better fall-back handling for IE8 and IE9
  • Better compatibility with SVG filters and filter elements
Assets 2
Loading

DOMPurify 0.7.2

19 Oct 10:45
@cure53 cure53
0.7.2
c8014de
Compare
Choose a tag to compare
DOMPurify 0.7.2
  • Fixed a crash in Safari 9
  • Added SAFE_FOR_TEMPLATES flag to aggressively scrub template delimiters and content
  • Added better test coverage
  • Added CI coverage for MS Edge
  • Fixed fall-back behaviour for IE6-IE8
  • Enhanced and updated the documentation
Assets 2
Loading

DOMPurify 0.7.1

02 Oct 09:32
@cure53 cure53
0.7.1
fac1062
Compare
Choose a tag to compare
DOMPurify 0.7.1
  • Added better test coverage
  • Added tests for document.write() behavior
  • Added better SVG compatibility
  • Changed the CI log outout
  • Added better local testing capabilities
Assets 2
Loading

DOMPurify 0.7.0

23 Sep 07:00
@cure53 cure53
0.7.0
555114d
Compare
Choose a tag to compare
DOMPurify 0.7.0
  • Added better compatibility for older browsers
  • Added better test coverage
  • Added /dist folder with a tested compressed DOMPurify version
  • Optimized internal document creation process
  • Optimized browser tests, now covering eight browsers
  • Optimized code style
  • Updated wiki pages and readmes
Assets 2
Loading

DOMPurify 0.6.7

17 Sep 13:00
@cure53 cure53
0.6.7
4fb4fbd
Compare
Choose a tag to compare
DOMPurify 0.6.7
  • Security Release Please update!
  • Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
  • Replaced document.implementation by DOMParser.parseFromString()
  • Changed location of purify.js from / to /src
  • Extended the range of tested browsers on BrowserStack

Details about the Security Issue

Problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631

Attack Scenario:
The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.

The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:

<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>


<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>

Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.

This change is expected to be non-breaking, no API changes or other side-effects are expected.

Thanks @mozfreddyb for assisting with this fix.

Assets 2
Loading

DOMPurify 0.6.6

15 Sep 09:18
@cure53 cure53
0.6.6
6c15eff
Compare
Choose a tag to compare
DOMPurify 0.6.6
  • Fixed around an MSIE/Edge bug causing freezes #89
  • Changed from MPL-2.0 to a dual license of Apache-2.0 and MPL-2.0
  • Fixed all tests for Microsoft Edge
Assets 2
Loading

DOMPurify 0.6.5

04 Aug 13:07
@cure53 cure53
0.6.5
0a4a0cd
Compare
Choose a tag to compare
DOMPurify 0.6.5
  • New CSS sanitizer demo hook
  • New HTTP proxy demo hook
  • New URI scheme white-list demo hook
  • Better compatibility with Microsoft Edge
  • Better tolerance for custom data attributes
  • Fixed a crash on Firefox
  • Fixed id and name attribute checks
  • Multiple minor fixes and performance enhancements
  • Better documentation
Assets 2
Loading