[DOMPurify Security] New Release Version 0.9.0 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Thu May 18 17:15:32 CEST 2017
*Intro*
A new version of DOMPurify was released today: DOMPurify 0.9.0
*Background*
It was discovered that the Safari DOMParser XSS that lead to earlier
security releases of DOMPurify was worse than assumed and allowed more
variations. Some of them bypass DOMPurify 0.8.9 and earlier versions.
Today, a new DOMPurify version was released. That version addresses the
Safari issue in a different way and now offers the same protection for
Safari 10.1 and Safari 10.2 users as for any other browsers' users.
DOMPurify 0.9.0 now works around Safari's security weaknesses more
efficiently and fixes all known versions of the browser XSS.
*Fix*
DOMPurify now performs better checks to mitigate both the Safari
DOMParser XSS and all known variations:
https://github.com/cure53/DOMPurify/blob/master/src/purify.js#L406
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/0.9.0
EOF
--
Fon +49 1520 8675782
PGP 0xD33441A8
S/MIME kuix.de/smime-keyserver/
cure53.de || mario.heideri.ch || 0x6D6172696F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20170518/522e75e2/attachment.sig>
More information about the DOMPurify-Security
mailing list