Sanitize v4.6.3 Release Notes

Release Date: 2018-03-19 // about 6 years ago
    • 🛠 CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.

    When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-allowlisted attributes to be used on allowlisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.