- Fixed several mXSS vectors spotted , thanks @masatokinugawa :bowing_man:
- Fixed a minor crash affecting MSIE11, see #372
- Fixed some typos and adjusted the README
- Enhanced the checks for SVG-/MathML-based mXSS
- Removed several obtrusive checks and guards that are not needed any longer
- Added better test coverage
- Added better handling of situations where element removal causes mXSS
- Added better handling of content type switches causing mXSS
- Fixed a logical issue causing overly aggressive SVG removal spotted by @thorn0
Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.
The fixes were reviewed and no new bypasses could be spotted at the moment.
Thanks, @masatokinugawa :bowing_man: :bowing_woman:!
The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.
Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.
- Fixed another mXSS variation affecting Chrome, Safari and Edge relating to HTML templates
- Fixed a bug in the config parser leading to unexpected results
Credits for the bypass again go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix :bowing_man: :bowing_woman:
Following the release of DOMPurify 2.0.1, a more thorough internal audit against Blink-based mXSS bugs was conducted. Several mXSS variations, spotted by @masatokinugawa were addressed and fixed. The fixes were reviewed and so far no new bypasses could be spotted.
This release manages to find what is believed to be a more holistic way to prevent mXSS bugs, specifically coming from HTML attributes and tags nested inside SVG and MathML.
Further, this release also addresses a DoS problem caused by sanitization of HTML tables when configured with potentially conflicting configuration settings.
- Fixed a bypass affecting latest Chrome, caused by a newly discovered Chrome mXSS vulnerability
- Added tests to cover implemented fixes
Credits go to Michał Bentkowski (@SecurityMB) of Securitum who spotted the bug in Chrome, turned it into a DOMPurify bypass, reported and helped verifying the fix. :bow:
Note: This release makes sure that, by default only string objects are returned (if not specified otherwise). This change relates to a surprising behavior in Chrome 77 - having to do with Trusted Types.
- Changed the default behavior for Trusted Types (See #361)
- Added a new config flag to manually enable Trusted Types support