sanitize-html
Advanced tools
Comparing version 2.3.2 to 2.3.3
# Changelog | ||
## 2.3.3 (2021-03-19): | ||
- Security fix: `allowedSchemes` and related options did not properly block schemes containing a hyphen, plus sign, period or digit, such as `ms-calculator:`. Thanks to Lukas Euler for pointing out the issue. | ||
- Added a security note about the known risks associated with using the `parser` option, especially `decodeEntities: false`. See the documentation. | ||
## 2.3.2 (2021-01-26): | ||
- Additional fixes for iframe validation exploits. Prevent exploits based on browsers' tolerance of the use of "\" rather than "/" and the presence of whitespace at this point in the URL. Thanks to Ron Masas of [Checkmarx](https://www.checkmarx.com/) for pointing out the issue and writing unit tests. | ||
- Documentation correction for `yarn` users. Thanks to Tagir Khadzhiev. | ||
- Updates README `yarn add` syntax. Thanks to [Tagir Khadshiev](https://github.com/Aspedm) for the contribution. | ||
@@ -7,0 +12,0 @@ ## 2.3.1 (2021-01-22): |
@@ -571,3 +571,5 @@ const htmlparser = require('htmlparser2'); | ||
// Case insensitive so we don't get faked out by JAVASCRIPT #1 | ||
const matches = href.match(/^([a-zA-Z]+):/); | ||
// Allow more characters after the first so we don't get faked | ||
// out by certain schemes browsers accept | ||
const matches = href.match(/^([a-zA-Z][a-zA-Z0-9.\-+]*):/); | ||
if (!matches) { | ||
@@ -574,0 +576,0 @@ // Protocol-relative URL starting with any combination of '/' and '\' |
{ | ||
"name": "sanitize-html", | ||
"version": "2.3.2", | ||
"version": "2.3.3", | ||
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis", | ||
@@ -5,0 +5,0 @@ "sideEffects": false, |
@@ -277,4 +277,6 @@ # sanitize-html | ||
sanitize-html is built on `htmlparser2`. By default the only option passed down is `decodeEntities: true` You can set the options to pass by using the parser option. | ||
sanitize-html is built on `htmlparser2`. By default the only option passed down is `decodeEntities: true`. You can set the options to pass by using the parser option. | ||
**Security note: changing the `parser` settings can be risky.** In particular, `decodeEntities: false` has known security concerns and a complete test suite does not exist for every possible combination of settings when used with `sanitize-html`. If security is your goal we recommend you use the defaults rather than changing `parser`, except for the `lowerCaseTags` option. | ||
```javascript | ||
@@ -281,0 +283,0 @@ const clean = sanitizeHtml(dirty, { |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
69703
688
593