fixed several more javascript URL attack vectors after studying the XSS filter evasion cheat sheet to better understand my enemy. Whitespace characters (codes from 0 to 32), which browsers ignore in URLs in certain cases allowing the "javascript" scheme to be snuck in, are now stripped out when checking for naughty URLs. Thanks again to pinpickle.

1.0.2

Diff

boutell

published 1.0.2 • 11 years ago

Changelog

Source

1.0.2:

fixed a javascript URL attack vector. naughtyHref must entity-decode URLs and also check for mixed-case scheme names. Thanks to pinpickle.

1.0.1

Diff

boutell

published 1.0.1 • 11 years ago

Changelog

Source

1.0.1:

Doc tweaks.

1.0.0

Diff

boutell

published 1.0.0 • 11 years ago

Changelog

Source

1.0.0:

If the style tag is disallowed, then its content should be dumped, so that it doesn't appear as text. We were already doing this for script tags, however in both cases the content is now preserved if the tag is explicitly allowed.

We're rocking our tests and have been working great in production for months, so: declared 1.0.0 stable.

0.1.4

Diff

boutell

published 0.1.4 • 11 years ago

…

1012

sanitize-html - npm Package Versions

1.1.4

.css-1z04cui{margin-bottom:var(--chakra-space-4);font-size:var(--chakra-fontSizes-md);}1.1.4:

1.1.3

1.1.3:

1.1.2

1.1.1

1.1.0

1.1.0:

1.0.3

1.0.3:

1.0.2

1.0.2:

1.0.1

1.0.1:

1.0.0

1.0.0:

0.1.4

1.1.4: