sanitize-html - npm Package Versions

2.0.0-rc.1 (2020-08-26):

• Upgrade klona package. Thanks to Bogdan Chadkin for the contribution.

1.27.4 (2020-08-26):

• Fixes an IE11 regression from using Array.prototype.includes, replacing it with Array.prototype.indexOf.

1.27.3 (2020-08-12):

• Fixes a bug when using transformTags with out textFilter. Thanks to Andrzej Porebski for the help with a failing test.

2.0.0-beta.2:

• Add files to package.json to prevent publishing unnecessary files to npm #392. Thanks to styfle for the contribution.
• Removes iframe and nl from default allowed tags. Adds most innocuous tags to the default allowedTags array.
• Fixes a bug when using transformTags with out textFilter. Thanks to Andrzej Porebski for the help with a failing test.

1.27.2 (2020-07-29):

• Fixes CHANGELOG links. Thanks to Alex Mayer for the contribution.
• Replaces srcset with parse-srcset. Thanks to Massimiliano Mirra for the contribution.

2.0.0-beta:

• Moves the index.js file to the project root and removes all build steps within the package. Going forward, it is up to the developer to include sanitize-html in their project builds as-needed. This removes major points of conflict with project code and frees this module to not worry about myriad build-related questions.
• Replaces lodash with utility packages: klona, is-plain-object, deepmerge, escape-string-regexp.
• Makes custom tag transformations less error-prone by escaping frame innerText. Thanks to Mike Samuel for the contribution. Prior to this patch, tag transformations which turned an attribute value into a text node could be vulnerable to code execution.
• Updates code to use modern features including const/let variable assignment.
• ESLint clean up.
• Updates is-plain-object to the 4.x major version.
• Updates srcset to the 3.x major version.

Thanks to Bogdan Chadkin for contributions to this major version update.

1.27.1 (2020-07-15):

• Removes the unused chalk dependency.
• Adds configuration for a Github stale bot.
• Replace xtend package with native Object.assign.

1.27.0:

• Adds the allowedIframeDomains option. This works similar to allowedIframeHostnames, where you would set it to an array of web domains. It would then permit any hostname on those domains to be used in iframe src attributes. Thanks to Stanislav Kravchenko for the contribution.

1.26.0:

• Adds the option element to the default nonTextTagsArray of tags with contents that aren't meant to be displayed visually as text. This can be overridden with the nonTextTags option.

1.25.0:

• Adds enforceHtmlBoundary option to process code bounded by the html tag, discarding any code outside of those tags.
• Migrates to the main lodash package from the per method packages since they are deprecated and cause code duplication. Thanks to Merceyz for the contribution.
• Adds a warning when style and script tags are allowed, as they are inherently vulnerable to being used in XSS attacks. That warning can be disabled by including the option allowVulnerableTags: true so this choice is knowing and explicit.