[DOMPurify Security] New Release Versions 2.4.8 & 3.0.10 (Security Issues)
Security Announcements for DOMPurify and related tools
dompurify-security at lists.ruhr-uni-bochum.de
Tue Mar 19 14:24:06 CET 2024
*Intro*
New versions of DOMPurify were released today: DOMPurify 2.4.8 & 3.0.10
*Background*
It has been found that if a document is sanitized in XML mode and later
used in HTML mode, bypassing is possible due to improper handling of
processing instructions as well as invalid HTML custom elements.
The problems were reported by Vsevolod Kokorin (@Slonser) from Solidlab.
*Fix*
DOMPurify is now better equipped to detect and properly remove
processing instructions in XML sanitization modes, and is stricter when
checking elements for being a valid HTML custom element.
*Packages*
Updated packages are available here:
https://github.com/cure53/DOMPurify/releases/tag/2.4.8
https://github.com/cure53/DOMPurify/releases/tag/3.0.10
EOF
--
Fon +49 1520 8675 782
PGP 0xC26C858090F70ADA
cure53.de || keybase.io/cure53 || @cure53berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20240319/74156a8f/attachment.sig>
More information about the DOMPurify-Security
mailing list