- Fixed an XSS in Safari 10.1 and 10.2 introduced by a Safari browser bug
- On Safari 10.1 and 10.2, this now actually causes XSS. Good job, Safari. Not.
new DOMParser().parseFromString('<svg onload=alert(document.domain)>', 'text/html');
- Fixed a minor return value problem on MSIE11 (see #198)
- Added new flag
FORCE_BODY
to enable better handling of HTML starting withstyle
and other elements a browser might move into the header (see #199) - Added white-listing for ARIA attributes (see #203)
- Fixed a minor bug in the URI white-list regex (see #200)
- Fixed a bug where data URI attributes would be removed from SVG content (see #205)