DOMPurify Versions Save

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

3.1.3

1 week ago
  • Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
  • Added better handling and readability of the nodeType property, thanks @ssi02014
  • Fixed some smaller issues in README and other documentation

2.5.3

1 week ago
  • Fixed several mXSS variations found by and thanks to @kevin-mizu & @Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @kevin-mizu
  • Fixed some smaller issues in README and other documentation

3.1.2

2 weeks ago
  • Addressed and fixed a mXSS variation found by @kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

2.5.2

2 weeks ago
  • Addressed and fixed a mXSS variation found by @kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

3.1.1

3 weeks ago
  • Fixed an mXSS sanitiser bypass reported by @icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

2.5.1

3 weeks ago
  • Fixed an mXSS sanitizer bypass reported by @icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

3.1.0

1 month ago
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

2.5.0

1 month ago
  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

3.0.11

1 month ago
  • Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T

2.4.9

1 month ago
  • Fixed another conditional bypass caused by Processing Instructions, thanks @Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @AlekseySolovey3T