[DOMPurify Security] New Release Version 0.4.5 (Minor Security Issue)

[Security Announcements for DOMPurify and related tools]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*Intro*

A new version of DOMPurify was released today: DOMPurify 0.4.5

*Background*

A minor security issue was reported by @filedescriptor:

The DOM clobbering check did not work properly in all situations. An
attacker was able to clobber empty yet existing DOM properties.

*Example*

The HTML string `<img src=x name=cookie>` allowed to clobber
`document.cookie` and set it to a value like `[object HTMLImageElement]`.

There is however no evidence, that arbitrary strings could have been
clobbered into `document.cookie`, giving the attack fairly small yet
existing and actionable impact.

*Fix*

The fix commit is available here:
https://github.com/cure53/DOMPurify/commit/1fb9038b8f6b192a81696a5ff3e7236f2909eebf

The clobbering checks were improved, now using the "in" operator
instead of checking the presence of a value.

The fix was suggested and reviewed by the reporter.

*Packages*

Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/0.4.5

EOF

- -- 
Fon    +49 1520 8675782
PGP    0xD33441A8
S/MIME kuix.de/smime-keyserver/

cure53.de || mario.heideri.ch || 0x6D6172696F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJUuQSsAAoJEHDUy0rTNEGowrkH/jdXEMDqsVkwfDj1rJTZ4v4F
c6LlF+JTelbYxsIF1r/z9t7DNvpYu1cEzMUEHyR9TkWSL34Ad8q0G8JC2Py7rtDQ
H7pLFRWPsZlk0hq+dbcEs0PlpfAbpqlfR/kReP4Cl+OWXfI34bk4Q1YOVU+7d0AB
oW8TD/To3rWbAVGgoCu5vhPLAhGfN6urpov2WuHoV4GiZDSR0W/WLGou3Sy/MBEU
/ZrFW4/VIuM+63Ay1FIXh6rVawnyLPpqLG8g4GtuBJmAbS3VAo5bEeJSAUuiWTSs
9dE4N2oU2wURCxkSX2UsQpWjzr7d3uXLFPzAB1DPwsjUq9h5+E4qPE/H0Zx4xTk=
=kvcS
-----END PGP SIGNATURE-----