Sourced from dompurify's releases.
DOMPurify 3.4.8
- Cleaned up the repository root, renamed some and removed unneeded files
- Fixed an issue with handling of Trusted Types policies, thanks
@fulstadev- Fixed the node iterator for better template scrubbing, thanks
@IamLeandrooooo- Included formerly missing LICENSE-MPL in published npm package, thanks
@asamuzaK- Bumped several dependencies where possible
DOMPurify 3.4.7
- Hardened the handling of Shadow Roots when using
IN_PLACE, thanks@GameZoneHacker- Removed a problem leading to permanent hook pollution, thanks
@offset- Refactored the test suite and expanded test coverage significantly
DOMPurify 3.4.6
- Fixed several issues with DOM Clobbering in
IN_PLACEmode, thanks@offset&@Bankde- Hardened the checks for cross-realm
IN_PLACEand Shadow DOM sanitization, thanks@offset&@Bankde- Added more test coverage for
IN_PLACEand general DOM Clobbering attacks- Bumped several dependencies where possible
DOMPurify 3.4.5
- Fixed a bypass caused by the new HTML element
selectedcontentadded in 3.4.4, thanks@KabirAcharyaNote that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.
DOMPurify 3.4.4
- Added the
selectedcontentelement to default allow-list, thanks@lukewarlow- Added the
commandandcommandforattributes to default allowed-list, thanks@lukewarlow- Added better template scrubbing for
IN_PLACEoperations, thanks@DEMON1A- Added stronger checks for cross-realm windows, thanks
@DEMON1A&@fg0x0- Updated demo website and made sure it uses the latest from main
- Updated existing workflows, fuzzer, dependabot, etc., added more tests
- Bumped several dependencies where possible
🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨
DOMPurify 3.4.3
- Fixed an issue with handling of nested Shadow DOM trees, thanks
@fishjojo1- Fixed the template regexes to be more robust against ReDoS attacks, thanks
@aleung27- Updated the node iteration code to catch more Shadow DOM related issues
- Updated Playwright and added Node 26 to test matrix
- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
DOMPurify 3.4.2
- Fixed an issue with URI validation on attributes allowed via
ADD_ATTRcallback, thanks@nelstrom- Fixed an issue with source maps referring to non-existing files, thanks
@cmdcolin- Updated existing workflows, fuzzer, release signing, etc., added more tests
- Bumped several dependencies where possible
DOMPurify 3.4.1
- Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (
font-face,color-profile,missing-glyph,font-face-src,font-face-uri,font-face-format,font-face-name) under permissiveCUSTOM_ELEMENT_HANDLING
... (truncated)
bcdd828
release: 3.4.8 (#1439)ca30f07
release: 3.4.7 (#1414)bb7739e
release: 3.4.6 (#1394)011b0c7
release: 3.4.5 (#1382)5817ad9
release: 3.4.4 (#1374)520edb0
release: 3.4.3 (#1352)6f67fd3
Sync/3.4.2 (#1322)5b0cdbb
chore: merge main into 3.x for 3.4.1 release (#1301)09f5911
test: added three more browsers to test setup (OSX, mobile)5b16e0b
Getting 3.x branch ready for 3.4.0 release (#1250)This version adds prepare script that runs during
installation. Review the package contents before updating.