sanitize-html - npm Package Compare versions

Comparing version 2.5.0 to 2.5.1

CHANGELOG.md

 # Changelog
 
+## 2.5.1 (2021-09-14):
+- The `allowedScriptHostnames` and `allowedScriptDomains` options now implicitly purge the inline content of all script tags, not just those with `src` attributes. This behavior was already strongly implied by the fact that they purged it in the case where a `src` attribute was actually present, and is necessary for the feature to provide any real security. Thanks to Grigorii Duca for pointing out the issue.
+
 ## 2.5.0 (2021-09-08):
@@ -4,0 +7,0 @@

index.js

@@ -268,2 +268,9 @@ const htmlparser = require('htmlparser2');
       result += '<' + name;
+
+      if (name === 'script') {
+        if (options.allowedScriptHostnames || options.allowedScriptDomains) {
+          frame.innerText = '';
+        }
+      }
+
       if (!allowedAttributesMap || has(allowedAttributesMap, name) || allowedAttributesMap['*']) {
@@ -319,7 +326,7 @@ each(attribs, function(value, a) {
             }
+
             if (name === 'script' && a === 'src') {
+
               let allowed = true;
 
-              frame.innerText = '';
-
               try {
@@ -326,0 +333,0 @@ const parsed = new URL(value);

package.json

 {
   "name": "sanitize-html",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
@@ -5,0 +5,0 @@ "sideEffects": false,

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

73670

increased by0.77%

Lines of code

737

increased by0.55%

No dependency changes