[DOMPurify Security] New Release Version 2.0.7 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Mon Oct 21 12:15:09 CEST 2019
*Intro*
A new version of DOMPurify was released today: DOMPurify 2.0.7
*Background*
Following the maintenance release of DOMPurify 2.0.6, an array of mXSS
variations, spotted by Masato Kinugawa in an internal code audit, was
addressed and fixed. This time, the attacks made use of mutations caused
by content removal from non-HTML tags inside HTML context.
*Fix*
DOMPurify is now more aware of this and comparable browser issues
and changes the sanitization behavior to be more secure. The fix has
been reviewed by the original finder as well.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.0.7
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20191021/2efa1511/attachment.sig>
More information about the DOMPurify-Security
mailing list