Skip to content

DOMPurify 2.0.4
Compare
Choose a tag to compare
@cure53 cure53 released this 07 Oct 13:32
2.0.4
5476eb9
This commit was signed with the committer’s verified signature.
cure53 Cure53
GPG key ID: 43A94EA3B4323240
Learn about vigilant mode.

Another mXSS variation was spotted by @masatokinugawa and got addressed and fixed in this release.

The fixes were reviewed and no new bypasses could be spotted at the moment.
Thanks, @masatokinugawa 🙇‍♂️ 🙇‍♀️!

The sanitization logic for this kind of mXSS was changed to be less aggressive and still be able to spot all recent mXSS variations we know about right now - while also avoiding risky string matching.

Prayers and thoughts that this was the final variation. But better be on the lookout for more releases soon.

Assets 2
Loading