1 | # 6.0.0
|
2 |
|
3 | **Breaking Changes**
|
4 |
|
5 | - Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
|
6 |
|
7 | ```js
|
8 | // decodes to javacript:alert('XSS')
|
9 | const vulnerableUrl =
|
10 | "javascript:alert('XSS')";
|
11 |
|
12 | sanitizeUrl(vulnerableUrl); // 'about:blank'
|
13 |
|
14 | const okUrl = "https://example.com/" + vulnerableUrl;
|
15 |
|
16 | // since the javascript bit is in the path instead of the protocol
|
17 | // this is successfully sanitized
|
18 | sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
|
19 | ```
|
20 |
|
21 | # 5.0.2
|
22 |
|
23 | - Fix issue where certain invisible white space characters were not being sanitized (#35)
|
24 |
|
25 | # 5.0.1
|
26 |
|
27 | - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
|
28 |
|
29 | # 5.0.0
|
30 |
|
31 | _Breaking Changes_
|
32 |
|
33 | - Sanitize vbscript urls (thanks @vicnicius)
|
34 |
|
35 | # 4.1.1
|
36 |
|
37 | - Fixup path to type declaration (closes #25)
|
38 |
|
39 | # 4.1.0
|
40 |
|
41 | - Add typescript types
|
42 |
|
43 | # CHANGELOG
|
44 |
|
45 | ## 4.0.1
|
46 |
|
47 | - Fix issue where urls with accented characters were incorrectly sanitized
|
48 |
|
49 | ## 4.0.0
|
50 |
|
51 | _Breaking Changes_
|
52 |
|
53 | - Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
|
54 |
|
55 | ## 3.1.0
|
56 |
|
57 | - Trim whitespace from urls
|
58 |
|
59 | ## 3.0.0
|
60 |
|
61 | _breaking changes_
|
62 |
|
63 | - Replace blank strings with about:blank
|
64 | - Replace null values with about:blank
|
65 |
|
66 | ## 2.1.0
|
67 |
|
68 | - Allow relative urls to be sanitized
|
69 |
|
70 | ## 2.0.2
|
71 |
|
72 | - Sanitize malicious URLs that begin with `\s`
|
73 |
|
74 | ## 2.0.1
|
75 |
|
76 | - Sanitize malicious URLs that begin with %20
|
77 |
|
78 | ## 2.0.0
|
79 |
|
80 | - sanitize data: urls
|
81 |
|
82 | ## 1.0.0
|
83 |
|
84 | - sanitize javascript: urls
|