UNPKG

@braintree/sanitize-url/CHANGELOG.md

Version:

2.46 kBMarkdownView Raw

1# CHANGELOG
2
3## 7.0.0
4
5- Move constant declarations from index file to `constants.ts` file
6- Update to node v18
7
8- Dev Dependency Updates
9  - Update to TypeScript 5
10  - Other minor dependency updates
11
12## 6.0.4
13
14- Add additional null byte sanitization prior to html decoding (#48)
15
16## 6.0.3
17
18- Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))
19
20## 6.0.2
21
22- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
23
24## 6.0.1
25
26- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
27- Fix issue where urls in the form `javasc&Tab;ript:alert('XSS');` were not properly sanitized
28
29## 6.0.0
30
31**Breaking Changes**
32
33- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
34
35```js
36// decodes to javacript:alert('XSS')
37const vulnerableUrl =
38  "&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";
39
40sanitizeUrl(vulnerableUrl); // 'about:blank'
41
42const okUrl = "https://example.com/" + vulnerableUrl;
43
44// since the javascript bit is in the path instead of the protocol
45// this is successfully sanitized
46sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
47```
48
49## 5.0.2
50
51- Fix issue where certain invisible white space characters were not being sanitized (#35)
52
53## 5.0.1
54
55- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
56
57## 5.0.0
58
59_Breaking Changes_
60
61- Sanitize vbscript urls (thanks @vicnicius)
62
63## 4.1.1
64
65- Fixup path to type declaration (closes #25)
66
67## 4.1.0
68
69- Add typescript types
70
71## 4.0.1
72
73- Fix issue where urls with accented characters were incorrectly sanitized
74
75## 4.0.0
76
77_Breaking Changes_
78
79- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
80
81## 3.1.0
82
83- Trim whitespace from urls
84
85## 3.0.0
86
87_breaking changes_
88
89- Replace blank strings with about:blank
90- Replace null values with about:blank
91
92## 2.1.0
93
94- Allow relative urls to be sanitized
95
96## 2.0.2
97
98- Sanitize malicious URLs that begin with `\s`
99
100## 2.0.1
101
102- Sanitize malicious URLs that begin with %20
103
104## 2.0.0
105
106- sanitize data: urls
107
108## 1.0.0
109
110- sanitize javascript: urls

1	`# CHANGELOG`
2
3	`## 7.0.0`
4
5	- Move constant declarations from index file to `constants.ts` file
6	`- Update to node v18`
7
8	`- Dev Dependency Updates`
9	`- Update to TypeScript 5`
10	`- Other minor dependency updates`
11
12	`## 6.0.4`
13
14	`- Add additional null byte sanitization prior to html decoding (#48)`
15
16	`## 6.0.3`
17
18	- Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))
19
20	`## 6.0.2`
21
22	- Fix issue where urls in the form `https://example.com&NewLine;&NewLine;/something` were not properly sanitized
23
24	`## 6.0.1`
25
26	- Fix issue where urls in the form `javascript&colon;alert('xss');` were not properly sanitized
27	- Fix issue where urls in the form `javasc&Tab;ript:alert('XSS');` were not properly sanitized
28
29	`## 6.0.0`
30
31	`Breaking Changes`
32
33	`- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file`
34
35	```js
36	`// decodes to javacript:alert('XSS')`
37	`const vulnerableUrl =`
38	`"&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041";`
39
40	`sanitizeUrl(vulnerableUrl); // 'about:blank'`
41
42	`const okUrl = "https://example.com/" + vulnerableUrl;`
43
44	`// since the javascript bit is in the path instead of the protocol`
45	`// this is successfully sanitized`
46	`sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');`
47	```
48
49	`## 5.0.2`
50
51	`- Fix issue where certain invisible white space characters were not being sanitized (#35)`
52
53	`## 5.0.1`
54
55	`- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)`
56
57	`## 5.0.0`
58
59	`_Breaking Changes_`
60
61	`- Sanitize vbscript urls (thanks @vicnicius)`
62
63	`## 4.1.1`
64
65	`- Fixup path to type declaration (closes #25)`
66
67	`## 4.1.0`
68
69	`- Add typescript types`
70
71	`## 4.0.1`
72
73	`- Fix issue where urls with accented characters were incorrectly sanitized`
74
75	`## 4.0.0`
76
77	`_Breaking Changes_`
78
79	- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
80
81	`## 3.1.0`
82
83	`- Trim whitespace from urls`
84
85	`## 3.0.0`
86
87	`_breaking changes_`
88
89	`- Replace blank strings with about:blank`
90	`- Replace null values with about:blank`
91
92	`## 2.1.0`
93
94	`- Allow relative urls to be sanitized`
95
96	`## 2.0.2`
97
98	- Sanitize malicious URLs that begin with `\s`
99
100	`## 2.0.1`
101
102	`- Sanitize malicious URLs that begin with %20`
103
104	`## 2.0.0`
105
106	`- sanitize data: urls`
107
108	`## 1.0.0`
109
110	`- sanitize javascript: urls`