cure53 · cure53 · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024
diff --git a/README.md b/README.md
@@ -6,11 +6,11 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.0**.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.1**.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 
-**Note that [DOMPurify v2.5.0](https://github.com/cure53/DOMPurify/releases/tag/2.5.0) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
+**Note that [DOMPurify v2.5.1](https://github.com/cure53/DOMPurify/releases/tag/2.5.1) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
 
 Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
 

diff --git a/bower.json b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "DOMPurify",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "homepage": "https://github.com/cure53/DOMPurify",
   "author": "Cure53 <info@cure53.de>",
   "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",

diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.1.0 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.0/LICENSE */
+/*! @license DOMPurify 3.1.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.1/LICENSE */
 
 const {
   entries,
@@ -282,7 +282,7 @@ function createDOMPurify() {
    * Version label, exposed for easier checks
    * if DOMPurify is up to date or not
    */
-  DOMPurify.version = '3.1.0';
+  DOMPurify.version = '3.1.1';
 
   /**
    * Array of elements that DOMPurify removed during sanitation.
@@ -516,7 +516,7 @@ function createDOMPurify() {
   let CONFIG = null;
 
   /* Specify the maximum element nesting depth to prevent mXSS */
-  const MAX_NESTING_DEPTH = 500;
+  const MAX_NESTING_DEPTH = 255;
 
   /* Ideally, do not touch anything below this line */
   /* ______________________________________________ */

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -98,7 +98,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "directories": {
     "test": "test"
   },

diff --git a/src/purify.js b/src/purify.js
@@ -389,7 +389,7 @@ function createDOMPurify(window = getGlobal()) {
   let CONFIG = null;
 
   /* Specify the maximum element nesting depth to prevent mXSS */
-  const MAX_NESTING_DEPTH = 500;
+  const MAX_NESTING_DEPTH = 255;
 
   /* Ideally, do not touch anything below this line */
   /* ______________________________________________ */

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -2107,28 +2107,28 @@
 
     QUnit.test('Test proper handling of nesting-based mXSS 1/3', function (assert) {
 
-      let dirty = `${`<div>`.repeat(496)}${`</div>`.repeat(496)}<img>`;
-      let expected = `${`<div>`.repeat(496)}${`</div>`.repeat(496)}<img>`;
+      let dirty = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
+      let expected = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
       let clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
-      dirty = `${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
-      expected = `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
+      dirty = `${`<div>`.repeat(255)}${`</div>`.repeat(255)}<img>`;
+      expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
-      dirty = `${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
-      expected = `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
+      dirty = `${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
+      expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
-      dirty = `<template>${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
-      expected = `<template>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
+      dirty = `<div><template>${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
+      expected = `<div><template>${`<div>`.repeat(251)}${`</div>`.repeat(251)}<img></template></div>`;
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
-      dirty = `<div><template>${`<r>`.repeat(497)}<img>${`</r>`.repeat(
-        497
+      dirty = `<div><template>${`<r>`.repeat(255)}<img>${`</r>`.repeat(
+        255
       )}</template></div><img>`;
       expected = `<div><template></template></div><img>`;
       clean = DOMPurify.sanitize(dirty);
@@ -2141,15 +2141,15 @@
       let dirty = `<form><input name="__depth">${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
       let expected = [
           ``,
-          `<form><input name="__depth">${`<div>`.repeat(497)}${`</div>`.repeat(497)}<img></form>`,
+          `<form><input name="__depth">${`<div>`.repeat(252)}${`</div>`.repeat(252)}<img></form>`,
       ];
       let clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
       dirty = `<form><input name="__depth"></form>${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
       expected = [
-          `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`,
-          `<form><input name="__depth"></form>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`
+          `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
+          `<form><input name="__depth"></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
       ];
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
@@ -2160,8 +2160,8 @@
       expected = [
         ``,
         `<form><input name="__removalCount">${`<div>`.repeat(
-          497
-        )}${`</div>`.repeat(497)}<img></form>`,
+          252
+        )}${`</div>`.repeat(252)}<img></form>`,
       ];
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
@@ -2170,10 +2170,10 @@
         500
       )}${`</div>`.repeat(500)}<img>`;
       expected = [
-        `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`,
+        `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
         `<form><input name="__removalCount"></form>${`<div>`.repeat(
-          498
-        )}${`</div>`.repeat(498)}<img>`,
+          253
+        )}${`</div>`.repeat(253)}<img>`,
       ];
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);

diff --git a/website/index.html b/website/index.html
@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="UTF-8">
-        <title>DOMPurify 3.1.0 "Time Traveler"</title>
+        <title>DOMPurify 3.1.1 "For Workgroups"</title>
         <script src="../dist/purify.min.js"></script>
         <!-- we don't actually need it - just to demo and test the $(html) sanitation -->
         <script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
@@ -23,7 +23,7 @@
         </script>
     </head>
     <body>
-        <h4>DOMPurify 3.1.0 "Time Traveler"</h4>
+        <h4>DOMPurify 3.1.1 "For Workgroups"</h4>
         <p>
             <a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>  
             <a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>