From dompurify-security at lists.ruhr-uni-bochum.de Tue Mar 19 14:24:06 2024 From: dompurify-security at lists.ruhr-uni-bochum.de (Security Announcements for DOMPurify and related tools) Date: Tue, 19 Mar 2024 14:24:06 +0100 Subject: [DOMPurify Security] New Release Versions 2.4.8 & 3.0.10 (Security Issues) Message-ID: *Intro* New versions of DOMPurify were released today: DOMPurify 2.4.8 & 3.0.10 *Background* It has been found that if a document is sanitized in XML mode and later used in HTML mode, bypassing is possible due to improper handling of processing instructions as well as invalid HTML custom elements. The problems were reported by Vsevolod Kokorin (@Slonser) from Solidlab. *Fix* DOMPurify is now better equipped to detect and properly remove processing instructions in XML sanitization modes, and is stricter when checking elements for being a valid HTML custom element. *Packages* Updated packages are available here: https://github.com/cure53/DOMPurify/releases/tag/2.4.8 https://github.com/cure53/DOMPurify/releases/tag/3.0.10 EOF -- Fon +49 1520 8675 782 PGP 0xC26C858090F70ADA cure53.de || keybase.io/cure53 || @cure53berlin -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: