UNPKG

@braintree/sanitize-url/CHANGELOG.md

Version:

1.74 kBMarkdownView Raw

1# 6.0.0
2
3**Breaking Changes**
4
5- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
6
7```js
8// decodes to javacript:alert('XSS')
9const vulnerableUrl =
10  "&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";
11
12sanitizeUrl(vulnerableUrl); // 'about:blank'
13
14const okUrl = "https://example.com/" + vulnerableUrl;
15
16// since the javascript bit is in the path instead of the protocol
17// this is successfully sanitized
18sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
19```
20
21# 5.0.2
22
23- Fix issue where certain invisible white space characters were not being sanitized (#35)
24
25# 5.0.1
26
27- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
28
29# 5.0.0
30
31_Breaking Changes_
32
33- Sanitize vbscript urls (thanks @vicnicius)
34
35# 4.1.1
36
37- Fixup path to type declaration (closes #25)
38
39# 4.1.0
40
41- Add typescript types
42
43# CHANGELOG
44
45## 4.0.1
46
47- Fix issue where urls with accented characters were incorrectly sanitized
48
49## 4.0.0
50
51_Breaking Changes_
52
53- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
54
55## 3.1.0
56
57- Trim whitespace from urls
58
59## 3.0.0
60
61_breaking changes_
62
63- Replace blank strings with about:blank
64- Replace null values with about:blank
65
66## 2.1.0
67
68- Allow relative urls to be sanitized
69
70## 2.0.2
71
72- Sanitize malicious URLs that begin with `\s`
73
74## 2.0.1
75
76- Sanitize malicious URLs that begin with %20
77
78## 2.0.0
79
80- sanitize data: urls
81
82## 1.0.0
83
84- sanitize javascript: urls

1	`# 6.0.0`
2
3	`Breaking Changes`
4
5	`- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file`
6
7	```js
8	`// decodes to javacript:alert('XSS')`
9	`const vulnerableUrl =`
10	`"&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";`
11
12	`sanitizeUrl(vulnerableUrl); // 'about:blank'`
13
14	`const okUrl = "https://example.com/" + vulnerableUrl;`
15
16	`// since the javascript bit is in the path instead of the protocol`
17	`// this is successfully sanitized`
18	`sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');`
19	```
20
21	`# 5.0.2`
22
23	`- Fix issue where certain invisible white space characters were not being sanitized (#35)`
24
25	`# 5.0.1`
26
27	`- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)`
28
29	`# 5.0.0`
30
31	`_Breaking Changes_`
32
33	`- Sanitize vbscript urls (thanks @vicnicius)`
34
35	`# 4.1.1`
36
37	`- Fixup path to type declaration (closes #25)`
38
39	`# 4.1.0`
40
41	`- Add typescript types`
42
43	`# CHANGELOG`
44
45	`## 4.0.1`
46
47	`- Fix issue where urls with accented characters were incorrectly sanitized`
48
49	`## 4.0.0`
50
51	`_Breaking Changes_`
52
53	- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
54
55	`## 3.1.0`
56
57	`- Trim whitespace from urls`
58
59	`## 3.0.0`
60
61	`_breaking changes_`
62
63	`- Replace blank strings with about:blank`
64	`- Replace null values with about:blank`
65
66	`## 2.1.0`
67
68	`- Allow relative urls to be sanitized`
69
70	`## 2.0.2`
71
72	- Sanitize malicious URLs that begin with `\s`
73
74	`## 2.0.1`
75
76	`- Sanitize malicious URLs that begin with %20`
77
78	`## 2.0.0`
79
80	`- sanitize data: urls`
81
82	`## 1.0.0`
83
84	`- sanitize javascript: urls`