Compare Versions - dompurify

npm / dompurify / Compare Versions

View on npm

From: → To:

3.4.7

Hardened the handling of Shadow Roots when using IN_PLACE, thanks @GameZoneHacker
Removed a problem leading to permanent hook pollution, thanks @offset
Refactored the test suite and expanded test coverage significantly

3.4.6

Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @offset & @Bankde
Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @offset & @Bankde
Added more test coverage for IN_PLACE and general DOM Clobbering attacks
Bumped several dependencies where possible

3.4.5

Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

3.4.4

Added the selectedcontent element to default allow-list, thanks @lukewarlow
Added the command and commandfor attributes to default allowed-list, thanks @lukewarlow
Added better template scrubbing for IN_PLACE operations, thanks @DEMON1A
Added stronger checks for cross-realm windows, thanks @DEMON1A & @fg0x0
Updated demo website and made sure it uses the latest from main
Updated existing workflows, fuzzer, dependabot, etc., added more tests
Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

3.4.3

Fixed an issue with handling of nested Shadow DOM trees, thanks @fishjojo1
Fixed the template regexes to be more robust against ReDoS attacks, thanks @aleung27
Updated the node iteration code to catch more Shadow DOM related issues
Updated Playwright and added Node 26 to test matrix
Updated existing workflows, fuzzer, release signing, etc., added more tests
Bumped several dependencies where possible

3.4.2

Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @nelstrom
Fixed an issue with source maps referring to non-existing files, thanks @cmdcolin
Updated existing workflows, fuzzer, release signing, etc., added more tests
Bumped several dependencies where possible

3.4.1

Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
Removed a duplicate slot entry from the default HTML attribute allow-list
Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

3.4.0

Most relevant changes:

Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5
Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver
Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1
Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif
Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs
Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran
Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth
Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth
Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others
Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor
Fixed a problem with the type dentition patcher after Node version bump
Fixed freezing BS runs by reducing the tested browsers array
Bumped several dependencies where possible
Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

3.3.3

Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth
Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth
Bumped and removed several dependencies, thanks @Rotzbua
Fixed the test suite after bumping dependencies, thanks @Rotzbua

3.3.1

Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @MariusRumpf
Updated the ESM import syntax to be more correct, thanks @binhpv

3.3.0

Added the SVG mask-type attribute to default allow-list, thanks @prasadrajandran
Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @nelstrom
Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @Wim-Valgaeren

3.2.7

Added new attributes and elements to default allow-list, thanks @elrion018
Added tagName parameter to custom element attributeNameCheck, thanks @nelstrom
Added better check for animated href attributes, thanks @llamakko
Updated and improved the bundled types, thanks @ssi02014
Updated several tests to better align with new browser encoding behaviors
Improved the handling of potentially risky content inside CDATA elements, thanks @securityMB & @terjanq
Improved the regular expression for raw-text elements to cover textareas, thanks @securityMB & @terjanq

3.2.6

Fixed several typos and removed clutter from our documentation, thanks @Rotzbua
Added matrix: as an allowed URI scheme, thanks @kleinesfilmroellchen
Added better config hardening against prototype pollution, thanks @EffectRenan
Added better handling of attribute removal, thanks @michalnieruchalski-tiugo
Added better configuration for aggressive mXSS scrubbing behavior, thanks @BryanValverdeU
Removed the script that caused the fake entry CVE-2025-48050

3.2.5

Added a check to the mXSS detection regex to be more strict, thanks @masatokinugawa
Added ESM type imports in source, removes patch function, thanks @donmccurdy
Added script to verify various TypeScript configurations, thanks @reduckted
Added more modern browsers to the Karma launchers list
Added Node 23.x to tested runtimes, removed Node 17.x
Fixed the generation of source maps, thanks @reduckted
Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @hhk-png
Fixed a few typos in the README file

3.2.4

Fixed a conditional and config dependent mXSS-style bypass reported by @nsysean
Added a new feature to allow specific hook removal, thanks @davecardwell
Added purify.js and purify.min.js to exports, thanks @Aetherinox
Added better logic in case no window object is president, thanks @yehuya
Updated some dependencies called out by dependabot
Updated license files etc to show the correct year

3.2.3

Fixed two conditional sanitizer bypasses discovered by @parrot409 and @Slonser
Updated the attribute clobbering checks to prevent future bypasses, thanks @parrot409

3.2.2

Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @yaniv-git
Fixed several minor issues with the type definitions, thanks again @reduckted
Fixed a minor issue with the types reference for trusted types, thanks @reduckted
Fixed a minor problem with the template detection regex on some systems, thanks @svdb99

3.2.1

Fixed several minor issues with the type definitions, thanks @reduckted @ghiscoding @asamuzaK @MiniDigger
Fixed an issue with non-minified dist files and order of imports, thanks @reduckted

3.2.0

Added type declarations, thanks @reduckted , @philmayfield, @aloisklink, @ssi02014 and others
Fixed a minor issue with the handling of hooks, thanks @kevin-mizu

3.1.7

Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @masatokinugawa
Fixed several smaller typos in documentation and test & build files, thanks @christianhg
Added better support for Angular compiler, thanks @jeroen1602
Added several new attributes to HTML and SVG allow-list, thanks @Gigabyte5671 and @Rotzbua
Removed the foreignObject element from the list of HTML entry-points, thanks @masatokinugawa
Bumped several dependencies to be more up to date

3.1.6

Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @kevin-mizu
Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @realansgar
Fixed a minor problem with the bower file pointing to the wrong dist path
Fixed several minor typos in docs, comments and comment blocks, thanks @Rotzbua
Updated several development dependencies

3.1.5

Fixed a minor issue with the dist paths in bower.js, thanks @HakumenNC
Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @kakao-bishop-cho

3.1.4

Fixed an issue with the recently implemented isNaN checks, thanks @tulach
Added several new popover attributes to allow-list, thanks @Gigabyte5671
Fixed the tests and adjusted the test runner to cover all branches

3.1.3

Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
Added better configurability for comment scrubbing default behavior
Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
Added better handling and readability of the nodeType property, thanks @ssi02014
Fixed some smaller issues in README and other documentation

3.1.2

Addressed and fixed a mXSS variation found by @kevin-mizu
Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
Updated tests for older Safari and Chrome versions

3.1.1

Fixed an mXSS sanitiser bypass reported by @icesfont
Added new code to track element nesting depth
Added new code to enforce a maximum nesting depth of 255
Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

3.1.0

Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
Updated README to warn about happy-dom not being safe for use with DOMPurify yet
Updated the LICENSE file to show the accurate year number
Updated several build and test dependencies

3.0.11

Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T

3.0.10

Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @Slonser
Bumped up some build and test dependencies

3.0.9

Fixed a problem with proper detection of Custom Elements, thanks @kevin-mizu
Refactored the hasOwnProperty logic, thanks @ssi02014
Removed a superfluous console.warn making HappyDom happier, thanks @HugoPoi
Modernized some of the demo hooks for better looks, thanks @Steb95

3.0.8

Fixed errors caused by conditional exports, thanks @ssi02014
Fixed a type error when working with custom element config, thanks @cpmotion

3.0.7

Added better protection against CSPP attacks, thanks @kevin-mizu
Updated browser versions for automated tests
Updated Node versions for automated tests
Refactored code base, thanks @ssi02014
Refactored build system & deployment, thanks @ssi02014

3.0.6

Refactored the core code-base and several utilities, thanks @ssi02014
Updated and fixed several sections of the README, thanks @ssi02014
Updated several outdated build and test dependencies

3.0.5

Fixed a licensing issue spotted and reported by @george-thomas-hill
Updated several build and test dependencies

3.0.4

Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @leeN
Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @masatokinugawa

3.0.3

Added new TRUSTED_TYPES_POLICY configuration option, thanks @dejang
Added feDropShadow to the SVG filter allow-list, thanks @SelfMadeSystem

3.0.2

Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @mukilane
Added mprescripts tag to allowed MathML elements, thanks @duyhai94
Added SMS URI scheme to allowed URI schemes, tanks @Kiwka
Updated supported browser versions for nicer code and smaller size, thanks @buzinas

3.0.1

Fixed a problem with improper reset of custom HTML options, thanks @ammaraskar

3.0.0

Removed all code that is for MSIE-only
Removed all tests that are for MSIE-only
Modified documentation to reflect new state of MSIE support
Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @edg2s @AndreVirtimo
Added better support for shadowrootmode, thanks @mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

2.5.9

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing

2.5.8

Fixed two conditional sanitizer bypasses discovered by @parrot409 and @Slonser
Updated the attribute clobbering checks to prevent future bypasses, thanks @parrot409

2.5.7

Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @masatokinugawa
Removed the foreignObject element from the list of HTML entry-points, thanks @masatokinugawa

2.5.6

Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @kevin-mizu
Fixed a minor problem with the bower file pointing to the wrong dist path
Updated several development dependencies

2.5.5

Fixed a minor issue with the dist paths in bower.js, thanks @HakumenNC
Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @kakao-bishop-cho

2.5.4

Fixed a bug with latest isNaN checks affecting MSIE, thanks @tulach
Fixed the tests for MSIE and fixed related test-runner

2.5.3

Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
Added better configurability for comment scrubbing default behavior
Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
Fixed some smaller issues in README and other documentation

2.5.2

Addressed and fixed a mXSS variation found by @kevin-mizu
Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
Updated tests for older Safari and Chrome versions

2.5.1

Fixed an mXSS sanitizer bypass reported by @icesfont
Added new code to track element nesting depth
Added new code to enforce a maximum nesting depth of 255
Added coverage tests and necessary clobbering protections

2.5.0

Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
Updated the LICENSE file to show the accurate year number
Updated several build and test dependencies

2.4.9

Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T

2.4.8

Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @Slonser

2.4.7

Fixed a licensing issue spotted and reported by @george-thomas-hill

2.4.6

Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @leeN

2.4.5

Fixed a problem with improper reset of custom HTML options, thanks @ammaraskar

2.4.4

Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @edg2s @AndreVirtimo
Added better support for shadowrootmode, thanks @mfreed7

2.4.3

Final release that is compatible with MSIE10 & MSIE 11

2.4.2

Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @tosmolka
Fixed a Prototype Pollution issue discovered and reported by @kevin-mizu

2.4.1

Added new config option ALLOWED_NAMESPACES for better XML handling, thanks @kevin-deyoungster @tosmolka
Added better detection of template literals when SAFE_FOR_TEMPLATES is true
Fixed an exception caused by DOM clobbering, thanks @masatokinugawa
Bumped some dependencies, thanks @marcpenya-tf

2.4.0

Removed bundled types again as they caused too much trouble

2.3.12

Fixed an issue in 2.3.11 causing errors w. TypeScript, see #712, thanks @Mirco469, @brentkeller, @aryanisml

2.3.11

Added generated type definitions for better compatibility
Added SANITIZE_NAMED_PROPS config option, thanks @SoheilKhodayari
Updated README and config documentation, thanks @0xedward
Updated test suite with newer Node versions

2.3.10

Added support for sanitization of attributes requiring Trusted Types, thanks @tosmolka

2.3.9

Made TAG and ATTR config options case-sensitive when parsing XHTML, thanks @tosmolka
Bumped some dependencies, thanks @is2ei
Included github-actions in the dependabot config, thanks @nathannaveen

2.3.8

Cleaned up a minor issue with the 2.3.7 release, thanks @johnbirds

No other changes compared to 2.3.7 release, which entail:

Fixes around a bug in Safari, thanks @sybrew
Slightly improved performance, thanks @tiny-ben-tran
Lots of chores, bumps and typo fixes, thanks @is2ei
Removed unnecessary string trimming, thanks @christopherehlen

2.3.6

Added an option to allow HTML5 doctypes, thanks @tosmolka
Bumped several dependencies, thanks @is2ei
Updated documentation to cover recently added flags, thanks @is2ei

2.3.5

Performed several chores and cleanups, thanks @is2ei
Fixed a bug when working with Trusted Types, thanks @tosmolka
Fixed a bug with weird behavior on insecure nodes in IN_PLACE mode, thanks @tosmolka
Added more SVG attributes to allow-list, thanks @rzhade3

2.3.4

Added support for Custom Elements, thanks @franktopel
Added new config settings to control Custom Element sanitizing, thanks @franktopel
Added faster clobber checks, thanks @GrantGryczan
Allow-listed SVG feImage elements, thanks @ydaniv
Updated test suite
Update supported Node versions
Updated README

2.3.3

Fixed a bug in the handing of PARSER_MEDIA_TYPE spotted by @securitum-mb
Adjusted the tests for MSIE to make sure the results are as expected now

2.3.2

Added new config option PARSER_MEDIA_TYPE, thanks @tosmolka

2.3.1

Added code to make FORBID_CONTENTS setting configurable
Added role to URI-safe attributes
Added more paranoid handling for template elements

2.3.0

Added better handling of document creation on Firefox
Added better handling of version numbers in license file
Added two new browser versions to test suite config
Fixed a bug with handling of custom data attributes

2.2.9

Fixed some minor issues related to the NAMESPACE config
Fixed some minor issues relating to empty input
Fixed some minor issues relating to handling of invalid XML

2.2.8

Added NAMESPACE config option, thanks @NateScarlet
Added better fallback for older browsers & PhantomJS, thanks @albanx
Extended allow-list for SVG attributes a bit

2.2.7

Fixed handling of unsupported browsers, i.e. Safari 9 and older
Fixed various minor bugs and typos in README and examples
Added better handling of potentially harmful "is" attributes
Added better handling of lookupGetter functionality

2.2.6

Added new mXSS prevention logic created by SecurityMB

2.2.4

Fixed a new MathML-based bypass submitted by PewGrand
Fixed a new SVG-related bypass submitted by SecurityMB
Updated NodeJS CI to Node 14.x and Node 15.x
Cleaned up _forceRemove logic for better reliability

2.2.3

Fixed an mXSS issue reported by PewGrand
Fixed a minor issue with the license header
Fixed a problem with overly-eager CSS stripping
Updated the README and removed an XSS warning

2.2.2

Fixed an mXSS bypass dropped on us publicly via #482
Fixed an mXSS variation that was reported privately short after
Added dialog to permitted elements list
Fixed a small typo in the README

2.2.0

Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, reported by @neilj and @mfreed7
Changed RETURN_DOM_IMPORT default to true to address said possible XSS
Updated README to reflect the new change and inform about the risks of manually setting RETURN_DOM_IMPORT back to false
Fixed the tests to properly address the new default

2.1.1

Removed some code targeting old Safari versions
Removed some code targeting older MS Edge versions
Re-added some code targeting older Chrome versions, thanks @terjanq
Added new tests and removed unused SAFE_FOR_JQUERY test cases
Added Node 14.x to existing test coverage

2.1.0

Fixed several possible mXSS patterns, thanks @hackvertor
Removed the SAFE_FOR_JQUERY flag (we are safe by default now for jQuery)
Removed several now useless mXSS checks
Updated the mXSS check for elements
Updated test cases to cover new sanitization strategy
Updated test website to use newer jQuery
Updated array of tested browsers and removed legacy browsers
Added "auto convert" checkbox to test website, thanks @hackvertor

2.0.17

Fixed another bypass causing mXSS by using MathML

2.0.16

Fixed an mXSS-based bypass caused by nested forms inside MathML
Fixed a security error thrown on older Chrome on Android versions, see #470

Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:

2.0.15

Added a renovated test suite, thanks @peernohell
Fixed some minor linter warnings

2.0.14

Fixed a problem with the documentMode default value

2.0.12

Fixed a minor bug when working with Trusted Types
Fixed some typos in a demo file
Fixed some wordings in code and docs

2.0.11

Fixed faulty behavior for non breaking space characters
Added ADD_DATA_URI_TAGS directive to allow customizing Data URI tag behavior

2.0.10

Fixed a dependency problem causing builds to break
Fixed a test in Chrome 83 covering Trusted Types

2.0.9

Removed a meanwhile useless parser check
Added countless new attributes to whitelist
Added whole new build and system
Added license tag to compressed files
Updated README for more clarity

2.0.8

Fixed a bypass that can be abused in case SAFE_FOR_JQUERY is used with jQuery 3.x, thanks @masatokinugawa :bowing_woman:
Added new elements to whitelist, thanks @chris-morgan
Added first layer of prototype poisoning protection, thanks @dejang
Added better controls for uponSanitizeAttribute, thanks @devinrhode2
Added demo for node removal, thanks @mikesnare

2.0.7

Fixed several mXSS vectors spotted , thanks @masatokinugawa :bowing_man:
Fixed a minor crash affecting MSIE11, see #372
Fixed some typos and adjusted the README

2.0.6

Enhanced the checks for SVG-/MathML-based mXSS
Removed several obtrusive checks and guards that are not needed any longer
Added better test coverage
Added better handling of situations where element removal causes mXSS
Added better handling of content type switches causing mXSS

2.0.5

Fixed a logical issue causing overly aggressive SVG removal spotted by @thorn0

2.0.4

Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.

The fixes were reviewed and no new bypasses could be spotted at the moment. Thanks, @masatokinugawa :bowing_man: :bowing_woman:!

The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.

Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.

2.0.3

Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
Fixed a bug in the config parser leading to unexpected results

Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:

2.0.2

Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.

This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.

Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.

2.0.1

Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
Added tests to cover implemented fixes

Credits go to Michał Bentkowski (@SecurityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. :bow:

2.0.0

Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.

Changed the default behavior for Trusted Types (See #361)
Added a new config flag to manually enable Trusted Types support
Added support for more attributes
Fixed a minor CSP warning

1.0.11

Fixed a minor problem with persistent config flags
Fixed a problem with extraneous HTML elements
Fixed some minor issues in README and Demo
Expanded the array of permitted SVG properties
Expanded the array of permitted HTML properties

1.0.10

Fixed a possible security problem when SAFE_FOR_TEMPLATES is true (default is false), thanks @masatokinugawa
Fixed a security problem when ALLOWED_TAGS or ADD_TAGS white-lists noembed or noscript (not the default), thanks @masatokinugawa
Added better internal code hardening, thanks @choumx
Extended the SVG attribute whitelist
Added more tests
Added better browser coverage for CI via BrowserStack
Cleaned up legacy browser coverage for CI via BrowserStack

1.0.9

Extended array of tested browsers
Fixed a build error caused by npm@natives
Optimized handling of leading white-space
Squashed a memory leak
Removed a spurious alert from internal tests
Removed internal test for fixed Edge mXSS

Recommended read, covering Trusted Types and compatibility implications: https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types

1.0.8

Reduced installed library footprint a bit
Added better in-depth protection against Gadget XSS, thanks Jun!
Added cosmetic changes to README.md
Added several new tests

1.0.7

Fixed a bypass for older MS Edge found by Gareth Heyes / @hackvertor

1.0.6

Added new configuration flag IN_PLACE for very fast "in place" node sanitization
See #288 for additional details

1.0.5

Added better test coverage for latest browsers
Added better test coverage for latest NodeJS
Fixed a loop when ALLOW_TAGS-collides with WHOLE_DOCUMENT
Fixed a CDATA encoding bug with SAFE_FOR_JQUERY
Removed Safari 10.1/11.1 TP specific security workarounds

1.0.4

Added several more SVG attributes to white-list
Update code example to show usage with older JSDOM API
Updated jQuery version for test suite

1.0.3

Added support for more attributes (srcset, crossdorigin etc.)
Fixed overzealous DOM clobbering protection
Added support for URI regex customization via ALLOWED_URI_REGEXP

1.0.2

Made DOMPurify be fully CSP compliant

1.0.1

Fixed various issues with the node.js loader Fixed various issues with the test-suite

1.0.0

Refactored DOMPurify to ES2016/ES2017
Fixed an exception on iOS Safari
Fixed a JSDOM related bug on node.js
Fixed numerous minor issues
Added markup profiles feature

0.9.0

Fixed and worked around newly discovered variations of the Safari 10.1 - 10.2 XSS
Fixed unsafe document generation for Safari 10.1 and 10.2
Added feature test to spot additionally broken versions if necessary
Added a configuration flag to use persistent configuration

0.8.9

Fixed another aspect of the Safari XSS
Added better checks for old Firefox mXSS

0.8.7

Cleaned up after Safari emergency fix
General code and comment clean-up
Added test for Firefox mXSS issue
Added more browsers to the test array

Big thanks go to Egor Karbutov @ShikariSenpai and Egor Saltykov @ansjdnakjdnajkd for spotting and reporting the Safari issue to FastMail!

0.8.6

Fixed an XSS in Safari 10.1 and 10.2 introduced by a Safari browser bug
- On Safari 10.1 and 10.2, this now actually causes XSS. Good job, Safari. Not.
- new DOMParser().parseFromString('<svg onload=alert(document.domain)>', 'text/html');
Fixed a minor return value problem on MSIE11 (see #198)
Added new flag FORCE_BODY to enable better handling of HTML starting with style and other elements a browser might move into the header (see #199)
Added white-listing for ARIA attributes (see #203)
Fixed a minor bug in the URI white-list regex (see #200)
Fixed a bug where data URI attributes would be removed from SVG content (see #205)

0.8.5

Allowed users to pass DOM nodes for sanitization
Fixed a small problem with empty DOM fragments on MSIE11
Fixed removal of data: URIs in img-src when having whitespaces
Added more test coverage

0.8.4

Made the uponSanitizeElement and uponSanitizeAttribute hooks more powerful (see #184)
Updated MentalJS sandbox in the demo folder

0.8.3

Reduced the NPM package footprint

0.8.2

Fixed a bug with the handling of binary attributes
Added more test cases

0.8.1

Fixed a security bug when ALLOW_UNKNOWN_PROTOCOLS is true (not the default) reported and addressed by @neilj
Added more tests to cover the security fix
Added more browsers to BrowserStack test-array
Fixed some minor issue with DOM element removal log

0.8.0

Added DOMPurify.removed to allow analyzing what elements and attributes were removed
Added much better compatibility with SVG images, filters and other SVG elements
Enhanced support for Data URIs
Enhanced support for Node.js and jsdom
Enhanced tests and reduced useless output
Added automated tests for Node.js and jsdom support
Added more browsers to automated tests (Edge 13, Chrome 50, Firefox 46)
Updated documentation and credits
Fixed smaller glitches on MSIE10
Fixed an issue with Shadow DOM on mobile Chrome

0.7.4

Moved handling of URI-attributes from black-list to white-list
Optimized the code
Optimized regular expressions in use
Made all data-* attributes become URI-safe
Fixed a security bug in SAFE_FOR_TEMPLATING mode, spotted by @filedescriptor

0.7.3

Better fall-back handling for IE8 and IE9
Better compatibility with SVG filters and filter elements

0.7.2

Fixed a crash in Safari 9
Added SAFE_FOR_TEMPLATES flag to aggressively scrub template delimiters and content
Added better test coverage
Added CI coverage for MS Edge
Fixed fall-back behaviour for IE6-IE8
Enhanced and updated the documentation

0.7.1

Added better test coverage
Added tests for document.write() behavior
Added better SVG compatibility
Changed the CI log outout
Added better local testing capabilities

0.7.0

Added better compatibility for older browsers
Added better test coverage
Added /dist folder with a tested compressed DOMPurify version
Optimized internal document creation process
Optimized browser tests, now covering eight browsers
Optimized code style
Updated wiki pages and readmes

0.6.7

Security Release Please update!
Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
Replaced document.implementation by DOMParser.parseFromString()
Changed location of purify.js from / to /src
Extended the range of tested browsers on BrowserStack

Details about the Security Issue

Problem: https://bugzilla.mozilla.org/show_bug.cgi?id=1205631

Attack Scenario: The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.

The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:

<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>


<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>

Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.

This change is expected to be non-breaking, no API changes or other side-effects are expected.

Thanks @mozfreddyb for assisting with this fix.

0.6.6

Fixed around an MSIE/Edge bug causing freezes #89
Changed from MPL-2.0 to a dual license of Apache-2.0 and MPL-2.0
Fixed all tests for Microsoft Edge

0.6.5

New CSS sanitizer demo hook
New HTTP proxy demo hook
New URI scheme white-list demo hook
Better compatibility with Microsoft Edge
Better tolerance for custom data attributes
Fixed a crash on Firefox
Fixed id and name attribute checks
Multiple minor fixes and performance enhancements
Better documentation

0.6.4

DOMPurify can now use a custom-made window object
Added hooks can now be removed and flushed
A possible clobbering effect for
has been mitigated
Optimizations for RTE / Copy&Paste compatibility
Test suite has been optimized for better error output
Fixed a crash in Safari
Updated MentalJS library in demo hooks

0.6.3

Merged countless optimizations and beautifications by @neilj
Optimized performance thanks to @neilj
Fixed a minor bug with the RETURN_DOM flag thanks to @neilj
Detailed list of changes: https://github.com/cure53/DOMPurify/pull/52

0.6.2

Added hook demo for MentalJS JavaScript sandbox
Fixed a typo in the hook labels
Added additional hooks with meta-data objects
Fixed the tests for Project Spartan 0.10.10049

0.6.1

Fixed several security issues identified by a 3rd party code audit
Removed support for MSIE9
Enabled toStaticHTML fallback for MSIE9

0.6.0

Important: This is a feature-release, not a security update.

Added Hook API to allow custom extensions and plugins
Added config flag FORBID_TAGS to blacklist specific tags
Added config flag FORBID_ATTR to blacklist specific attributes
Added demo folder with various showcases / usage examples
Extended unit tests
Added version label to DOMPurify object

0.4.5

Fixed a minor DOM clobbering issue reported by @filedescriptor
Made sure present but empty DOM properties cannot be clobbered
Made sure that document.all cannot be clobbered by avoiding typeof

0.4.4

Fixed a bug in the clobber detection potentially leading to XSS, thanks @avlidienbrunn
Fixed an undefined error
Fixed a range error
Added a pre-test for better performance

0.4.3

Add Common JS support for browserify (Node.js is not supported yet)

0.4.2

Fixed a security issue in WebKit/Blink leading to a bypass (discovered & reported by Tom Ritter of iSEC Partners)
Extended test-suite