sanitize-html - npm Package Versions

1.11.4:

fixed crash when __proto__ is a tag name. Now using a safe check for the existence of properties in all cases. Thanks to Andrew Krasichkov.

Fixed XSS attack vector via textarea tags (when explicitly allowed). Decided that script (obviously) and style (due to its own XSS vectors) cannot realistically be afforded any XSS protection if allowed, unless we add a full CSS parser. Thanks again to Andrew Krasichkov.

1.11.3:

bumped htmlparser2 version to address crashing bug in older version. Thanks to e-jigsaw.

1.11.2:

fixed README typo that interfered with readability due to markdown issues. No code changes. Thanks to Mikael Korpela. Also improved code block highlighting in README. Thanks to Alex Siman.

1.11.1:

fixed a regression introduced in 1.11.0 which caused the closing tag of the parent of a textarea tag to be lost. Thanks to Stefano Sala, who contributed the missing test.

1.11.0:

added the nonTextTags option, with tests.

1.10.1:

documentation cleanup. No code changes. Thanks to Rex Schrader.

1.10.0:

allowedAttributes now allows you to allow attributes for all tags by specifying * as the tag name. Thanks to Zdravko Georgiev.

1.9.0:

parser option allows options to be passed directly to htmlparser. Thanks to Danny Scott.

1.8.0:

• transformTags now accepts the * wildcard to transform all tags. Thanks to Jamy Timmermans.

• Text that has been modified by transformTags is then passed through textFilter. Thanks to Pavlo Yurichuk.

• Content inside textarea is discarded if textarea is not allowed. I don't know why it took me this long to see that this is just common sense. Thanks to David Frank.

1.7.2:

removed array-includes dependency in favor of indexOf, which is a little more verbose but slightly faster and doesn't require a shim. Thanks again to Joseph Dykstra.