Releases: cure53/DOMPurify
Releases · cure53/DOMPurify
DOMPurify 3.4.11
- Fixed an issue with a leaky config for hooks via
setConfig, thanks @trace37labs - Bumped vulnerable development dependencies to arrive at plain 0 with
npm audit - Updated the
osv-scannersuppression list as no vulnerable dependencies are left for now - Updated up the linting tool-chain and removed now-redundant lint directives
- Updated the documentation is several spots, README, wiki, etc.
- Bumped several dependencies where possible
Contributors
trace37labs
Assets 11
DOMPurify 3.4.10
- Refactored codebase for clarity: extracted the public type declarations into
types.ts - Decomposed the three largest sanitizer functions into focused helpers
- Removed duplicated defaults and dead branches, consolidated
SAFE_FOR_TEMPLATESscrubbing into single shared path - Improved per-node performance by hoisting the mXSS probe regexes and testing
textContentbeforeinnerHTML - Added a deterministic micro-benchmark harness (
npm run bench) with a--comparemode - Reduced CI cost by running the full three-engine browser suite once per PR
- Refreshed the
demos/folder so every demo runs again, and added a SVG-via-<img>demo - Documented the bench and
test:happydomscripts in the README - Completed the Attack Classes & Bypass History wiki page
- Bumped several dependencies where possible
DOMPurify 3.4.9
- Further improved the handling of Trusted Types config options, thanks @offset
- Further improved the handling of
IN_PLACEsanitization, thanks @mozfreddyb - Added more test coverage for
IN_PLACEand Trusted Types related usage - Bumped several dependencies where possible
- Updated README and wiki with more accurate documentation & attack samples
Contributors
mozfreddyb and offset
Assets 11
DOMPurify 3.4.8
- Cleaned up the repository root, renamed some and removed unneeded files
- Fixed an issue with handling of Trusted Types policies, thanks @fulstadev
- Fixed the node iterator for better template scrubbing, thanks @IamLeandrooooo
- Included formerly missing LICENSE-MPL in published npm package, thanks @asamuzaK
- Bumped several dependencies where possible
Contributors
asamuzaK, IamLeandrooooo, and fulstadev
Assets 11
DOMPurify 3.4.7
- Hardened the handling of Shadow Roots when using
IN_PLACE, thanks @GameZoneHacker - Removed a problem leading to permanent hook pollution, thanks @offset
- Refactored the test suite and expanded test coverage significantly
Contributors
GameZoneHacker and offset
Assets 11
DOMPurify 3.4.6
Contributors
Bankde and offset
Assets 11
DOMPurify 3.4.5
- Fixed a bypass caused by the new HTML element
selectedcontentadded in 3.4.4, thanks @KabirAcharya
Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.
Contributors
KabirAcharya
Assets 11
DOMPurify 3.4.4
- Added the
selectedcontentelement to default allow-list, thanks @lukewarlow - Added the
commandandcommandforattributes to default allowed-list, thanks @lukewarlow - Added better template scrubbing for
IN_PLACEoperations, thanks @DEMON1A - Added stronger checks for cross-realm windows, thanks @DEMON1A & @fg0x0
- Updated demo website and made sure it uses the latest from main
- Updated existing workflows, fuzzer, dependabot, etc., added more tests
- Bumped several dependencies where possible
🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨
Contributors
lukewarlow, fg0x0, and DEMON1A
Assets 11
DOMPurify 3.4.3
- Fixed an issue with handling of nested Shadow DOM trees, thanks @fishjojo1
- Fixed the template regexes to be more robust against ReDoS attacks, thanks @aleung27
- Updated the node iteration code to catch more Shadow DOM related issues
- Updated Playwright and added Node 26 to test matrix
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
Contributors
fishjojo1 and aleung27
Assets 11
DOMPurify 3.4.2
Contributors
nelstrom and cmdcolin