• Fixed an XSS in Safari 10.1 and 10.2 introduced by a Safari browser bug
  • On Safari 10.1 and 10.2, this now actually causes XSS. Good job, Safari. Not.
  • new DOMParser().parseFromString('<svg onload=alert(document.domain)>', 'text/html');
• Fixed a minor return value problem on MSIE11 (see #198)
• Added new flag FORCE_BODY to enable better handling of HTML starting with style and other elements a browser might move into the header (see #199)
• Added white-listing for ARIA attributes (see #203)
• Fixed a minor bug in the URI white-list regex (see #200)
• Fixed a bug where data URI attributes would be removed from SVG content (see #205)