[DOMPurify Security] New Release Versions 2.5.1 & 3.1.1 (Security Issue)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Fri Apr 26 13:33:22 CEST 2024
*Intro*
New versions of DOMPurify were released today: DOMPurify 2.5.1 & 3.1.1
*Background*
It has been found that HTML with a certain and excessive nesting depth
for any of its elements causes some browser engines to stumble and
produce an inaccurate DOM tree hierarchy, leading to sanitizer bypasses.
The problems were reported by and fixed collaborating with @icesfont.
*Fix*
DOMPurify is now better equipped to measure the nesting depth of
elements and react to nesting depths that are too large. This will
prevent the browser from being confronted with confusing HTML and thus
producing an inaccurate DOM tree, thereby mitigating the attack.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.5.1
https://github.com/cure53/DOMPurify/releases/tag/3.1.1
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20240426/fc9c54f8/attachment.sig>
More information about the DOMPurify-Security
mailing list