[DOMPurify Security] New Release Version 2.0.2 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Mon Sep 23 11:46:28 CEST 2019
*Intro*
A new version of DOMPurify was released today: DOMPurify 2.0.2
*Background*
Following the release of DOMPurify 2.0.1, a more thorough internal audit
against Blink-based mXSS bugs was conducted. Several mXSS variations,
spotted by Masato Kinugawa were addressed and fixed.
This release managed to find what is believed to be a more holistic way
to prevent mXSS bugs, specifically coming from HTML attributes and tags
nested inside SVG and MathML.
Further, this release also addresses a DoS problem caused by
sanitization of HTML tables when configured with potentially conflicting
configuration settings.
*Fix*
DOMPurify now is now more aware of this and comparable browser issues
and changes the sanitization behavior to be more secure. The fix has
been reviewed by the original finder as well.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.0.2
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20190923/e15926b1/attachment.sig>
More information about the DOMPurify-Security
mailing list