Skip to content
- Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (
font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
- Fixed a case-sensitivity gap in the
annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
- Fixed
SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
- Fixed the
IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
- Removed a duplicate
slot entry from the default HTML attribute allow-list
- Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for
SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
- Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (
SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
- Extended CodeQL analysis to run on
3.x and 2.x maintenance branches