UNPKG

@braintree/sanitize-url/CHANGELOG.md

Version:

2.07 kBMarkdownView Raw

1# CHANGELOG
2
3## 6.0.2
4
5- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
6
7## 6.0.1
8
9- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
10- Fix issue where urls in the form `javasc&Tab;ript:alert('XSS');` were not properly sanitized
11
12## 6.0.0
13
14**Breaking Changes**
15
16- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
17
18```js
19// decodes to javacript:alert('XSS')
20const vulnerableUrl =
21  "&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";
22
23sanitizeUrl(vulnerableUrl); // 'about:blank'
24
25const okUrl = "https://example.com/" + vulnerableUrl;
26
27// since the javascript bit is in the path instead of the protocol
28// this is successfully sanitized
29sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
30```
31
32## 5.0.2
33
34- Fix issue where certain invisible white space characters were not being sanitized (#35)
35
36## 5.0.1
37
38- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
39
40## 5.0.0
41
42_Breaking Changes_
43
44- Sanitize vbscript urls (thanks @vicnicius)
45
46## 4.1.1
47
48- Fixup path to type declaration (closes #25)
49
50## 4.1.0
51
52- Add typescript types
53
54## 4.0.1
55
56- Fix issue where urls with accented characters were incorrectly sanitized
57
58## 4.0.0
59
60_Breaking Changes_
61
62- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
63
64## 3.1.0
65
66- Trim whitespace from urls
67
68## 3.0.0
69
70_breaking changes_
71
72- Replace blank strings with about:blank
73- Replace null values with about:blank
74
75## 2.1.0
76
77- Allow relative urls to be sanitized
78
79## 2.0.2
80
81- Sanitize malicious URLs that begin with `\s`
82
83## 2.0.1
84
85- Sanitize malicious URLs that begin with %20
86
87## 2.0.0
88
89- sanitize data: urls
90
91## 1.0.0
92
93- sanitize javascript: urls

1	`# CHANGELOG`
2
3	`## 6.0.2`
4
5	- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
6
7	`## 6.0.1`
8
9	- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
10	- Fix issue where urls in the form `javasc&Tab;ript:alert('XSS');` were not properly sanitized
11
12	`## 6.0.0`
13
14	`Breaking Changes`
15
16	`- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file`
17
18	```js
19	`// decodes to javacript:alert('XSS')`
20	`const vulnerableUrl =`
21	`"&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";`
22
23	`sanitizeUrl(vulnerableUrl); // 'about:blank'`
24
25	`const okUrl = "https://example.com/" + vulnerableUrl;`
26
27	`// since the javascript bit is in the path instead of the protocol`
28	`// this is successfully sanitized`
29	`sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');`
30	```
31
32	`## 5.0.2`
33
34	`- Fix issue where certain invisible white space characters were not being sanitized (#35)`
35
36	`## 5.0.1`
37
38	`- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)`
39
40	`## 5.0.0`
41
42	`_Breaking Changes_`
43
44	`- Sanitize vbscript urls (thanks @vicnicius)`
45
46	`## 4.1.1`
47
48	`- Fixup path to type declaration (closes #25)`
49
50	`## 4.1.0`
51
52	`- Add typescript types`
53
54	`## 4.0.1`
55
56	`- Fix issue where urls with accented characters were incorrectly sanitized`
57
58	`## 4.0.0`
59
60	`_Breaking Changes_`
61
62	- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
63
64	`## 3.1.0`
65
66	`- Trim whitespace from urls`
67
68	`## 3.0.0`
69
70	`_breaking changes_`
71
72	`- Replace blank strings with about:blank`
73	`- Replace null values with about:blank`
74
75	`## 2.1.0`
76
77	`- Allow relative urls to be sanitized`
78
79	`## 2.0.2`
80
81	- Sanitize malicious URLs that begin with `\s`
82
83	`## 2.0.1`
84
85	`- Sanitize malicious URLs that begin with %20`
86
87	`## 2.0.0`
88
89	`- sanitize data: urls`
90
91	`## 1.0.0`
92
93	`- sanitize javascript: urls`