Sourced from dompurify's releases.
DOMPurify 3.2.7
- Added new attributes and elements to default allow-list, thanks
@elrion018- Added
tagNameparameter to custom elementattributeNameCheck, thanks@nelstrom- Added better check for animated
hrefattributes, thanks@llamakko- Updated and improved the bundled types, thanks
@ssi02014- Updated several tests to better align with new browser encoding behaviors
- Improved the handling of potentially risky content inside CDATA elements, thanks
@securityMB&@terjanq- Improved the regular expression for raw-text elements to cover textareas, thanks
@securityMB&@terjanqDOMPurify 3.2.6
- Fixed several typos and removed clutter from our documentation, thanks
@Rotzbua- Added
matrix:as an allowed URI scheme, thanks@kleinesfilmroellchen- Added better config hardening against prototype pollution, thanks
@EffectRenan- Added better handling of attribute removal, thanks
@michalnieruchalski-tiugo- Added better configuration for aggressive mXSS scrubbing behavior, thanks
@BryanValverdeU- Removed the script that caused the fake entry CVE-2025-48050
DOMPurify 3.2.5
- Added a check to the mXSS detection regex to be more strict, thanks
@masatokinugawa- Added ESM type imports in source, removes patch function, thanks
@donmccurdy- Added script to verify various TypeScript configurations, thanks
@reduckted- Added more modern browsers to the Karma launchers list
- Added Node 23.x to tested runtimes, removed Node 17.x
- Fixed the generation of source maps, thanks
@reduckted- Fixed an unexpected behavior with
ALLOWED_URI_REGEXPusing the 'g' flag, thanks@hhk-png- Fixed a few typos in the README file
DOMPurify 3.2.4
- Fixed a conditional and config dependent mXSS-style bypass reported by
@nsysean- Added a new feature to allow specific hook removal, thanks
@davecardwell- Added purify.js and purify.min.js to exports, thanks
@Aetherinox- Added better logic in case no window object is president, thanks
@yehuya- Updated some dependencies called out by dependabot
- Updated license files etc to show the correct year
DOMPurify 3.2.3
- Fixed two conditional sanitizer bypasses discovered by
@parrot409and@Slonser- Updated the attribute clobbering checks to prevent future bypasses, thanks
@parrot409DOMPurify 3.2.2
- Fixed a possible bypass in case a rather specific config for custom elements is set, thanks
@yaniv-git- Fixed several minor issues with the type definitions, thanks again
@reduckted- Fixed a minor issue with the types reference for trusted types, thanks
@reduckted- Fixed a minor problem with the template detection regex on some systems, thanks
@svdb99DOMPurify 3.2.1
- Fixed several minor issues with the type definitions, thanks
@reduckted@ghiscoding@asamuzaK@MiniDigger- Fixed an issue with non-minified dist files and order of imports, thanks
@reduckted
... (truncated)
eaa0bdb
Merge pull request #1144
from cure53/mainf712593
fix: removed a possibly dossy regexeb9b3b6
Merge branch 'main' of github.com:cure53/DOMPurifyce006f7
chore: Preparing 3.2.7 releaseef0e0cb
chore: Preparing 3.2.6 release2f09cd3
Update README.md6a795bc
Merge pull request #1142
from cure53/dependabot/github_actions/actions/setup-...2458bbd
build(deps): bump actions/setup-node from 4 to 5e43d3f3
Merge pull request #1136
from cure53/dependabot/github_actions/actions/checko...6f5be37
build(deps): bump actions/checkout from 4 to 5