1 | # CHANGELOG
|
2 |
|
3 | ## 7.0.0
|
4 |
|
5 | - Move constant declarations from index file to `constants.ts` file
|
6 | - Update to node v18
|
7 |
|
8 | - Dev Dependency Updates
|
9 | - Update to TypeScript 5
|
10 | - Other minor dependency updates
|
11 |
|
12 | ## 6.0.4
|
13 |
|
14 | - Add additional null byte sanitization prior to html decoding (#48)
|
15 |
|
16 | ## 6.0.3
|
17 |
|
18 | - Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))
|
19 |
|
20 | ## 6.0.2
|
21 |
|
22 | - Fix issue where urls in the form `https://example.com

/something` were not properly sanitized
|
23 |
|
24 | ## 6.0.1
|
25 |
|
26 | - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized
|
27 | - Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized
|
28 |
|
29 | ## 6.0.0
|
30 |
|
31 | **Breaking Changes**
|
32 |
|
33 | - Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
|
34 |
|
35 | ```js
|
36 | // decodes to javacript:alert('XSS')
|
37 | const vulnerableUrl =
|
38 | "javascript:alert('XSS')";
|
39 |
|
40 | sanitizeUrl(vulnerableUrl); // 'about:blank'
|
41 |
|
42 | const okUrl = "https://example.com/" + vulnerableUrl;
|
43 |
|
44 | // since the javascript bit is in the path instead of the protocol
|
45 | // this is successfully sanitized
|
46 | sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
|
47 | ```
|
48 |
|
49 | ## 5.0.2
|
50 |
|
51 | - Fix issue where certain invisible white space characters were not being sanitized (#35)
|
52 |
|
53 | ## 5.0.1
|
54 |
|
55 | - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
|
56 |
|
57 | ## 5.0.0
|
58 |
|
59 | _Breaking Changes_
|
60 |
|
61 | - Sanitize vbscript urls (thanks @vicnicius)
|
62 |
|
63 | ## 4.1.1
|
64 |
|
65 | - Fixup path to type declaration (closes #25)
|
66 |
|
67 | ## 4.1.0
|
68 |
|
69 | - Add typescript types
|
70 |
|
71 | ## 4.0.1
|
72 |
|
73 | - Fix issue where urls with accented characters were incorrectly sanitized
|
74 |
|
75 | ## 4.0.0
|
76 |
|
77 | _Breaking Changes_
|
78 |
|
79 | - Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
|
80 |
|
81 | ## 3.1.0
|
82 |
|
83 | - Trim whitespace from urls
|
84 |
|
85 | ## 3.0.0
|
86 |
|
87 | _breaking changes_
|
88 |
|
89 | - Replace blank strings with about:blank
|
90 | - Replace null values with about:blank
|
91 |
|
92 | ## 2.1.0
|
93 |
|
94 | - Allow relative urls to be sanitized
|
95 |
|
96 | ## 2.0.2
|
97 |
|
98 | - Sanitize malicious URLs that begin with `\s`
|
99 |
|
100 | ## 2.0.1
|
101 |
|
102 | - Sanitize malicious URLs that begin with %20
|
103 |
|
104 | ## 2.0.0
|
105 |
|
106 | - sanitize data: urls
|
107 |
|
108 | ## 1.0.0
|
109 |
|
110 | - sanitize javascript: urls
|