sanitize-html
Advanced tools
sanitize-html - npm Package Compare versions
Comparing version 2.3.2 to 2.3.3
| # Changelog | ||
| ## 2.3.3 (2021-03-19): | ||
| - Security fix: `allowedSchemes` and related options did not properly block schemes containing a hyphen, plus sign, period or digit, such as `ms-calculator:`. Thanks to Lukas Euler for pointing out the issue. | ||
| - Added a security note about the known risks associated with using the `parser` option, especially `decodeEntities: false`. See the documentation. | ||
| ## 2.3.2 (2021-01-26): | ||
| - Additional fixes for iframe validation exploits. Prevent exploits based on browsers' tolerance of the use of "\" rather than "/" and the presence of whitespace at this point in the URL. Thanks to Ron Masas of [Checkmarx](https://www.checkmarx.com/) for pointing out the issue and writing unit tests. | ||
| - Documentation correction for `yarn` users. Thanks to Tagir Khadzhiev. | ||
| - Updates README `yarn add` syntax. Thanks to [Tagir Khadshiev](https://github.com/Aspedm) for the contribution. | ||
@@ -7,0 +12,0 @@ ## 2.3.1 (2021-01-22): |
@@ -571,3 +571,5 @@ const htmlparser = require('htmlparser2'); | ||
| // Case insensitive so we don't get faked out by JAVASCRIPT #1 | ||
| const matches = href.match(/^([a-zA-Z]+):/); | ||
| // Allow more characters after the first so we don't get faked | ||
| // out by certain schemes browsers accept | ||
| const matches = href.match(/^([a-zA-Z][a-zA-Z0-9.\-+]*):/); | ||
| if (!matches) { | ||
@@ -574,0 +576,0 @@ // Protocol-relative URL starting with any combination of '/' and '\' |
| { | ||
| "name": "sanitize-html", | ||
| "version": "2.3.2", | ||
| "version": "2.3.3", | ||
| "description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
@@ -277,4 +277,6 @@ # sanitize-html | ||
| sanitize-html is built on `htmlparser2`. By default the only option passed down is `decodeEntities: true` You can set the options to pass by using the parser option. | ||
| sanitize-html is built on `htmlparser2`. By default the only option passed down is `decodeEntities: true`. You can set the options to pass by using the parser option. | ||
| **Security note: changing the `parser` settings can be risky.** In particular, `decodeEntities: false` has known security concerns and a complete test suite does not exist for every possible combination of settings when used with `sanitize-html`. If security is your goal we recommend you use the defaults rather than changing `parser`, except for the `lowerCaseTags` option. | ||
| ```javascript | ||
@@ -281,0 +283,0 @@ const clean = sanitizeHtml(dirty, { |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.35%
69703
- Lines of code
- increased by0.29%
688
- Number of lines in readme file
- increased by0.34%
593
No dependency changes