Sourced from dompurify's\r\nreleases.
\r\n\r\n\r\nDOMPurify 2.5.4
\r\n\r\n
\r\n- Fixed a bug with latest
\r\nisNaN
checks affecting MSIE,\r\nthanks@tulach
- Fixed the tests for MSIE and fixed related test-runner
\r\nDOMPurify 2.5.3
\r\n\r\n
\r\n- Fixed several mXSS variations found by and thanks to
\r\n@kevin-mizu
&\r\n@Ry0taK
- Added better configurability for comment scrubbing default\r\nbehavior
\r\n- Added better hardening against Prototype Pollution attacks, thanks\r\n
\r\n@kevin-mizu
- Fixed some smaller issues in README and other documentation
\r\nDOMPurify 2.5.2
\r\n\r\n
\r\n- Addressed and fixed a mXSS variation found by
\r\n@kevin-mizu
- Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
\r\n- Updated tests for older Safari and Chrome versions
\r\nDOMPurify 2.5.1
\r\n\r\n
\r\n- Fixed an mXSS sanitizer bypass reported by
\r\n@icesfont
- Added new code to track element nesting depth
\r\n- Added new code to enforce a maximum nesting depth of 255
\r\n- Added coverage tests and necessary clobbering protections
\r\nNote that this is a security release and should be upgraded\r\nto immediately. Please also note that further releases may follow as the\r\nunderlying vulnerability is apparently new and further variations may be\r\ndiscovered.
\r\nDOMPurify 2.5.0
\r\n\r\n
\r\n- Added new setting
\r\nSAFE_FOR_XML
to enable better control\r\nover comment scrubbing- Updated the LICENSE file to show the accurate year number
\r\n- Updated several build and test dependencies
\r\nDOMPurify 2.4.9
\r\n\r\n
\r\n- Fixed another conditional bypass caused by Processing Instructions,\r\nthanks
\r\n@Ry0taK
- Fixed the regex for HTML Custom Element detection, thanks
\r\n@AlekseySolovey3T
DOMPurify 2.4.8
\r\n\r\n
\r\n- Fixed two possible bypasses when sanitizing an XML document and\r\nlater using it in HTML, thanks
\r\n@Slonser
DOMPurify 2.4.7
\r\n\r\n
\r\n- Fixed a licensing issue spotted and reported by
\r\n@george-thomas-hill
DOMPurify 2.4.6
\r\n\r\n
\r\n- Fixed a bypass in jsdom 22 in case the
\r\nnoframes
element\r\nis permitted, thanks@leeN
DOMPurify 2.4.5
\r\n\r\n
\r\n- Fixed a problem with improper reset of custom HTML options, thanks\r\n
\r\n@ammaraskar
DOMPurify 2.4.4
\r\n\r\n
\r\n- Added support for
\r\nALLOW_SELF_CLOSE_IN_ATTR
flag, thanks\r\n@edg2s
@AndreVirtimo
- Added better support for
\r\nshadowrootmode
, thanks@mfreed7
DOMPurify 2.4.3
\r\n\r\n
\r\n\r\n- Final release that is compatible with MSIE10 & MSIE 11
\r\n
... (truncated)
\r\n10c1261
\r\ndocs: Updated README ever so slightly1c92880
\r\ntest: Fixed two more tests for MSIE11 and Edge 181401208
\r\ntest: Fixed more tests for MSIE and Edge 182c6410a
\r\ntest: Fixed several new tests for MSIE11 and Edge 182c9bca9
\r\ntest: Changed github config to include MSIE tests for 2.xb188787
\r\nchore: Preparing 2.5.4 release707b3d6
\r\nfix: Added a better for for the MSIE iNaN issue62fe3be
\r\ntest: Attempting to get MSIE 11 back into the browser test arrayf3a9710
\r\nfix: Fixed an issue with MSIE and no support for Number.isNaNe1ddfc7
\r\nMerge branch '2.x' of github.com:cure53/DOMPurify into 2.xSourced from webpack's\r\nreleases.
\r\n\r\n\r\nv5.94.0
\r\nBug Fixes
\r\n\r\n
\r\n- Added runtime condition for harmony reexport checked
\r\n- Handle properly\r\n
\r\ndata
/http
/https
protocols in\r\nsource maps- Make
\r\nbigint
optimistic when browserslist not found- Move
\r\n@types/eslint-scope
to dev deps- Related in asset stats is now always an array when no related\r\nfound
\r\n- Handle ASI for export declarations
\r\n- Mangle destruction incorrect with export named default properly
\r\n- Fixed unexpected asi generation with sequence expression
\r\n- Fixed a lot of types
\r\nNew Features
\r\n\r\n
\r\n- Added new external type "module-import"
\r\n- Support
\r\nwebpackIgnore
fornew URL()
\r\nconstruction- [CSS]
\r\n@import
pathinfo supportSecurity
\r\n\r\n
\r\n- Fixed DOM clobbering in auto public path
\r\nv5.93.0
\r\nBug Fixes
\r\n\r\n
\r\n- Generate correct relative path to runtime chunks
\r\n- Makes
\r\nDefinePlugin
quieter under default log level- Fixed mangle destructuring default in namespace import
\r\n- Fixed consumption of eager shared modules for module federation
\r\n- Strip slash for pretty regexp
\r\n- Calculate correct contenthash for CSS generator options
\r\nNew Features
\r\n\r\n
\r\n- Added the
\r\nbinary
generator option for asset modules to\r\nexplicitly keep source maps produced by loaders- Added the
\r\nmodern-module
library value for tree shakable\r\noutput- Added the
\r\noverrideStrict
option to override strict or\r\nnon-strict mode for javascript modulesv5.92.1
\r\nBug Fixes
\r\n\r\n
\r\n- Doesn't crash with an error when the css experiment is enabled and\r\ncontenthash is used
\r\nv5.92.0
\r\nBug Fixes
\r\n\r\n
\r\n\r\n- Correct tidle range's comutation for module federation
\r\n- Consider runtime for pure expression dependency update hash
\r\n- Return value in the
\r\nsubtractRuntime
function for\r\nruntime logic
... (truncated)
\r\neabf85d
\r\nchore(release): 5.94.0955e057
\r\nsecurity: fix DOM clobbering in auto public path9822387
\r\ntest: fixcbb86ed
\r\ntest: fix5ac3d7f
\r\nfix: unexpected asi generation with sequence expression2411661
\r\nsecurity: fix DOM clobbering in auto public pathb8c03d4
\r\nfix: unexpected asi generation with sequence expressionf46a03c
\r\nrevert: do not use heuristic fallback for "module-import"60f1898
\r\nfix: do not use heuristic fallback for "module-import"66306aa
\r\nRevert "fix: module-import get fallback from\r\nexternalsPresets"Sourced from micromatch's\r\nreleases.
\r\n\r\n\r\n4.0.8
\r\nUltimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We\r\nconsider the issues low-priority, so even if you see automated scanners\r\nsaying otherwise, don't be scared.
\r\n
Sourced from micromatch's\r\nchangelog.
\r\n\r\n\r\n[4.0.8] - 2024-08-22
\r\n\r\n
\r\n- backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch
\r\n[4.0.7] - 2024-05-22
\r\n\r\n
\r\n- this is basically v4.0.5, with some README updates
\r\n- it is vulnerable to CVE-2024-4067
\r\n- Updated braces to v3.0.3 to avoid CVE-2024-4068
\r\n- does NOT break API compatibility
\r\n[4.0.6] - 2024-05-21
\r\n\r\n
\r\n- Added
\r\nhasBraces
to check if a pattern contains\r\nbraces.- Fixes CVE-2024-4067
\r\n- BREAKS API COMPATIBILITY
\r\n- Should be labeled as a major release, but it's not.
\r\n
8bd704e
\r\n4.0.8a0e6841
\r\nrun verb to generate README documentation4ec2884
\r\nMerge branch 'v4' into hauserkristof-feature/v4.0.803aa805
\r\nMerge pull request #266\r\nfrom hauserkristof/feature/v4.0.8814f5f7
\r\nlint67fcce6
\r\nfix: CHANGELOG about braces & CVE-2024-4068, v4.0.5113f2e3
\r\nfix: CVE numbers in CHANGELOGd9dbd9a
\r\nfeat: updated CHANGELOG2ab1315
\r\nfix: use actions/setup-node@v41406ea3
\r\nfeat: rework test to work on macos with node 10,12 and 14