Skip to content

Releases: rgrove/sanitize

v2.1.1

30 Sep 20:48
@rgrove rgrove
v2.1.1
8dc3dca
Compare
Choose a tag to compare
v2.1.1

  • CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS (backported from Sanitize 4.6.3). @dometto - #188

    When Sanitize <= 2.1.0 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

Assets 2

v4.6.6

24 Jul 03:29
@rgrove rgrove
v4.6.6
cee5bfa
Compare
Choose a tag to compare
v4.6.6
  • Improved performance and memory usage by optimizing Sanitize#transform_node! @stanhu - #183
Assets 2

v4.6.5

17 May 03:07
@rgrove rgrove
v4.6.5
662b0e3
Compare
Choose a tag to compare
v4.6.5
  • Improved performance slightly by tweaking the order of built-in transformers. @rafbm - #180
Assets 2

4.6.4 (2018-03-20)

20 Mar 16:41
@rgrove rgrove
v4.6.4
acc7e64
Compare
Choose a tag to compare
4.6.4 (2018-03-20)
  • Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. @zetter - #177
Assets 2

4.6.3 (2018-03-19)

20 Mar 02:52
@rgrove rgrove
v4.6.3
5f66eb1
Compare
Choose a tag to compare
4.6.3 (2018-03-19)

  • CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.

    When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

Assets 2

4.6.2 (2018-03-19)

19 Mar 19:00
@rgrove rgrove
v4.6.2
0eee92e
Compare
Choose a tag to compare
4.6.2 (2018-03-19)
Assets 2

4.6.1 (2018-03-15)

15 Mar 22:56
@rgrove rgrove
v4.6.1
184709b
Compare
Choose a tag to compare
4.6.1 (2018-03-15)
Assets 2

4.6.0 (2018-01-29)

30 Jan 01:50
@rgrove rgrove
v4.6.0
1cbdff3
Compare
Choose a tag to compare
4.6.0 (2018-01-29)
  • Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. @rafbm - #171
Assets 2

4.5.0 (2017-06-04)

04 Jun 22:55
@rgrove rgrove
v4.5.0
c1b5ff2
Compare
Choose a tag to compare
4.5.0 (2017-06-04)

  • Added SVG-related CSS properties to the relaxed config. See the diff for the full list of added properties. @louim - #161

  • Fixed: Sanitize now strips null bytes (\u0000) before passing input to Nokogumbo, since they can cause recent versions to crash with a failed assertion in the Gumbo parser.

Assets 2

4.4.0 (2016-09-29)

30 Sep 00:21
@rgrove rgrove
v4.4.0
c2343fd
Compare
Choose a tag to compare
4.4.0 (2016-09-29)
  • Added srcset to the attribute whitelist for img elements in the relaxed config. @ejtttje - #156
Assets 2