DOMPurify 0.7.4

• Moved handling of URI-attributes from black-list to white-list
• Optimized the code
• Optimized regular expressions in use
• Made all data-* attributes become URI-safe
• Fixed a security bug in SAFE_FOR_TEMPLATING mode, spotted by @filedescriptor

DOMPurify 0.7.3

• Better fall-back handling for IE8 and IE9
• Better compatibility with SVG filters and filter elements

DOMPurify 0.7.2

• Fixed a crash in Safari 9
• Added SAFE_FOR_TEMPLATES flag to aggressively scrub template delimiters and content
• Added better test coverage
• Added CI coverage for MS Edge
• Fixed fall-back behaviour for IE6-IE8
• Enhanced and updated the documentation

DOMPurify 0.7.1

• Added better test coverage
• Added tests for document.write() behavior
• Added better SVG compatibility
• Changed the CI log outout
• Added better local testing capabilities

DOMPurify 0.7.0

• Added better compatibility for older browsers
• Added better test coverage
• Added /dist folder with a tested compressed DOMPurify version
• Optimized internal document creation process
• Optimized browser tests, now covering eight browsers
• Optimized code style
• Updated wiki pages and readmes

DOMPurify 0.6.7

• Security Release Please update!
• Fixed a possible security issue based on a newly spotted Firefox bug (explanation below)
• Replaced document.implementation by DOMParser.parseFromString()
• Changed location of purify.js from / to /src
• Extended the range of tested browsers on BrowserStack

Details about the Security Issue

Problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631

Attack Scenario:
The bug only manifested itself if the sanitized HTML DOMPurify created would be written to a document using document.write() or alike. Applications, that set the sanitized HTML by using innerHTML or outerHTML are not affected at all. Applications that do not allow SVG are also not affected at all.

The security issue is caused by a non-standard behavior of Gecko (the Firefox browser-engine) and a peculiar way of working with innerHTML-assignments. The following code snippets illustrate the issue:

<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>


<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>

Users who install this latest release are not affected by the bug anymore as DOMPurify fixes around the problem and mitigates the issue by not trusting Gecko's innerHTML implementation any much longer. Instead of the combination of document.implementation and doc.body.outerHTML, DOMPurify is now using the DOMParser feature available in all modern browsers.

This change is expected to be non-breaking, no API changes or other side-effects are expected.

Thanks @mozfreddyb for assisting with this fix.

DOMPurify 0.6.6

• Fixed around an MSIE/Edge bug causing freezes #89
• Changed from MPL-2.0 to a dual license of Apache-2.0 and MPL-2.0
• Fixed all tests for Microsoft Edge

DOMPurify 0.6.5

• New CSS sanitizer demo hook
• New HTTP proxy demo hook
• New URI scheme white-list demo hook
• Better compatibility with Microsoft Edge
• Better tolerance for custom data attributes
• Fixed a crash on Firefox
• Fixed id and name attribute checks
• Multiple minor fixes and performance enhancements
• Better documentation

DOMPurify 0.6.4

• DOMPurify can now use a custom-made window object
• Added hooks can now be removed and flushed
• A possible clobbering effect for has been mitigated
• Optimizations for RTE / Copy&Paste compatibility
• Test suite has been optimized for better error output
• Fixed a crash in Safari
• Updated MentalJS library in demo hooks

DOMPurify 0.6.3

• Merged countless optimizations and beautifications by @neilj
• Optimized performance thanks to @neilj
• Fixed a minor bug with the RETURN_DOM flag thanks to @neilj
• Detailed list of changes: #52