1 | # CHANGELOG
|
2 |
|
3 | ## 6.0.2
|
4 |
|
5 | - Fix issue where urls in the form `https://example.com

/something` were not properly sanitized
|
6 |
|
7 | ## 6.0.1
|
8 |
|
9 | - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized
|
10 | - Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized
|
11 |
|
12 | ## 6.0.0
|
13 |
|
14 | **Breaking Changes**
|
15 |
|
16 | - Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
|
17 |
|
18 | ```js
|
19 | // decodes to javacript:alert('XSS')
|
20 | const vulnerableUrl =
|
21 | "javascript:alert('XSS')";
|
22 |
|
23 | sanitizeUrl(vulnerableUrl); // 'about:blank'
|
24 |
|
25 | const okUrl = "https://example.com/" + vulnerableUrl;
|
26 |
|
27 | // since the javascript bit is in the path instead of the protocol
|
28 | // this is successfully sanitized
|
29 | sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
|
30 | ```
|
31 |
|
32 | ## 5.0.2
|
33 |
|
34 | - Fix issue where certain invisible white space characters were not being sanitized (#35)
|
35 |
|
36 | ## 5.0.1
|
37 |
|
38 | - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
|
39 |
|
40 | ## 5.0.0
|
41 |
|
42 | _Breaking Changes_
|
43 |
|
44 | - Sanitize vbscript urls (thanks @vicnicius)
|
45 |
|
46 | ## 4.1.1
|
47 |
|
48 | - Fixup path to type declaration (closes #25)
|
49 |
|
50 | ## 4.1.0
|
51 |
|
52 | - Add typescript types
|
53 |
|
54 | ## 4.0.1
|
55 |
|
56 | - Fix issue where urls with accented characters were incorrectly sanitized
|
57 |
|
58 | ## 4.0.0
|
59 |
|
60 | _Breaking Changes_
|
61 |
|
62 | - Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
|
63 |
|
64 | ## 3.1.0
|
65 |
|
66 | - Trim whitespace from urls
|
67 |
|
68 | ## 3.0.0
|
69 |
|
70 | _breaking changes_
|
71 |
|
72 | - Replace blank strings with about:blank
|
73 | - Replace null values with about:blank
|
74 |
|
75 | ## 2.1.0
|
76 |
|
77 | - Allow relative urls to be sanitized
|
78 |
|
79 | ## 2.0.2
|
80 |
|
81 | - Sanitize malicious URLs that begin with `\s`
|
82 |
|
83 | ## 2.0.1
|
84 |
|
85 | - Sanitize malicious URLs that begin with %20
|
86 |
|
87 | ## 2.0.0
|
88 |
|
89 | - sanitize data: urls
|
90 |
|
91 | ## 1.0.0
|
92 |
|
93 | - sanitize javascript: urls
|