[DOMPurify Security] New Release Version 2.0.8 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Mon Feb 3 14:20:53 CET 2020
*Intro*
A new version of DOMPurify was released today: DOMPurify 2.0.8
*Background*
A conditional jQuery-based XSS bypass was spotted by Masato Kinugawa.
The issue was addressed and fixed. Note that the attack only woks in
case SAFE_FOR_JQUERY is enabled and jQuery 3.x is being used.
*Fix*
DOMPurify is now aware of jQuery's broken HTML parsing behavior and
works around it. The fix has been reviewed by the original finder as well.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.0.8
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20200203/89b8e039/attachment.sig>
More information about the DOMPurify-Security
mailing list