DOMPurify 0.6.7

• Security Release Please update!
• Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
• Replaced document.implementation by DOMParser.parseFromString()
• Changed location of purify.js from / to /src
• Extended the range of tested browsers on BrowserStack

Details about the Security Issue

Problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631

Attack Scenario:
The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.

The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:

<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>


<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>

Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.

This change is expected to be non-breaking, no API changes or other side-effects are expected.

Thanks @mozfreddyb for assisting with this fix.

DOMPurify 0.6.6

• Fixed around an MSIE/Edge bug causing freezes #89
• Changed from MPL-2.0 to a dual license of Apache-2.0 and MPL-2.0
• Fixed all tests for Microsoft Edge

DOMPurify 0.6.5

• New CSS sanitizer demo hook
• New HTTP proxy demo hook
• New URI scheme white-list demo hook
• Better compatibility with Microsoft Edge
• Better tolerance for custom data attributes
• Fixed a crash on Firefox
• Fixed id and name attribute checks
• Multiple minor fixes and performance enhancements
• Better documentation

DOMPurify 0.6.4

• DOMPurify can now use a custom-made window object
• Added hooks can now be removed and flushed
• A possible clobbering effect for has been mitigated
• Optimizations for RTE / Copy&Paste compatibility
• Test suite has been optimized for better error output
• Fixed a crash in Safari
• Updated MentalJS library in demo hooks

DOMPurify 0.6.3

• Merged countless optimizations and beautifications by @neilj
• Optimized performance thanks to @neilj
• Fixed a minor bug with the RETURN_DOM flag thanks to @neilj
• Detailed list of changes: #52

DOMPurify 0.6.2

• Added hook demo for MentalJS JavaScript sandbox
• Fixed a typo in the hook labels
• Added additional hooks with meta-data objects
• Fixed the tests for Project Spartan 0.10.10049

DOMPurify 0.6.1

• Fixed several security issues identified by a 3rd party code audit
• Removed support for MSIE9
• Enabled toStaticHTML fallback for MSIE9

DOMPurify 0.6.0

Important: This is a feature-release, not a security update.

• Added Hook API to allow custom extensions and plugins
• Added config flag FORBID_TAGS to blacklist specific tags
• Added config flag FORBID_ATTR to blacklist specific attributes
• Added demo folder with various showcases / usage examples
• Extended unit tests
• Added version label to DOMPurify object

DOMPurify 0.4.5

• Fixed a minor DOM clobbering issue reported by @filedescriptor
• Made sure present but empty DOM properties cannot be clobbered
• Made sure that document.all cannot be clobbered by avoiding typeof

DOMPurify 0.4.4

• Fixed a bug in the clobber detection potentially leading to XSS, thanks @avlidienbrunn
• Fixed an undefined error
• Fixed a range error
• Added a pre-test for better performance