[DOMPurify Security] New Release Version 2.0.4 (Security Issue)

Security Announcements for DOMPurify and related tools dompurify-security at lists.ruhr-uni-bochum.de
Mon Oct 7 15:40:18 CEST 2019


A new version of DOMPurify was released today: DOMPurify 2.0.4


Following the release of DOMPurify 2.0.3, another mXSS variation,
spotted by Masato Kinugawa was addressed and fixed. This time, the
attack made use of MathML embedded inside inline SVG.


DOMPurify is now more aware of this and comparable browser issues
and changes the sanitization behavior to be more secure. The fix has
been reviewed by the original finder as well.


Updated packages are available here:


Fon  +49 1520 8675 782
PGP  0xC26C858090F70ADA

cure53.de || keybase.io/cure53 || @cure53berlin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/attachments/20191007/87510db6/attachment.sig>

More information about the DOMPurify-Security mailing list