All Versions
Latest Version
Avg Release Cycle
105 days
Latest Release
327 days ago

Changelog History
Page 2

  • v4.6.3 Changes

    March 19, 2018
    • 🛠 CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.

    When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-allowlisted attributes to be used on allowlisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

  • v4.6.2 Changes

    March 19, 2018
  • v4.6.1 Changes

    March 15, 2018
  • v4.6.0 Changes

    January 29, 2018
    • Loosened the Nokogumbo dependency to allow installing semver-compatible versions greater than or equal to v1.4. @rafbm - #171
  • v4.5.0 Changes

    June 04, 2017
    • ➕ Added SVG-related CSS properties to the relaxed config. See the diff for the full list of added properties. @louim - #161

    • 🛠 Fixed: Sanitize now strips null bytes (\u0000) before passing input to Nokogumbo, since they can cause recent versions to crash with a failed assertion in the Gumbo parser.

  • v4.4.0 Changes

    September 29, 2016
    • ➕ Added srcset to the attribute allowlist for img elements in the relaxed config. @ejtttje - #156
  • v4.3.0 Changes

    September 20, 2016
  • v4.2.0 Changes

    August 22, 2016
    • ➕ Added -webkit-font-smoothing to the relaxed CSS config. @louim - #154

    • 🛠 Fixed: Nokogumbo >=1.4.9 changed its behavior in a way that allowed invalid doctypes (like <!DOCTYPE nonsense>) when the :allow_doctype config setting was true. Invalid doctypes are now coerced to valid ones as they were prior to this Nokogumbo change.

  • v4.1.0 Changes

    June 17, 2016
    • Added a new CSS config setting, :import_url_validator. This is a Proc or other callable object that will be called with each @import URL, and should return true to allow the URL or false to remove it. @nikz - #153
  • v4.0.1 Changes

    December 09, 2015