github cure53/DOMPurify 3.4.0
DOMPurify 3.4.0
on GitHub

15 hours ago

Most relevant changes:

  • Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5
  • Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver
  • Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1
  • Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif
  • Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs
  • Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran
  • Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth
  • Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth
  • Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others
  • Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor
  • Fixed a problem with the type dentition patcher after Node version bump
  • Fixed freezing BS runs by reducing the tested browsers array
  • Bumped several dependencies where possible
  • Added needed files for OpenSSF scorecard checks

Published Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published

Check out latest releases or
releases around cure53/DOMPurify 3.4.0

Don't miss a new DOMPurify release

NewReleases is sending notifications on new releases.

Get notifications