This advisory has been withdrawn because the user must configure jsdom to allow access to local files.
Original Description
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0)
- Added `window.queueMicrotask()`.
- Added `window.event`.
- Added `inputEvent.inputType`. (diegohaz)
- Removed `ondragexit` from `Window` and friends, per a spec update.
- Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller)
- Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
- Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche)
- Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41).
- Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value.
- Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805).
- Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files.
- Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses.
- Fixed `xhr.response` to return `null` for failures that occur during the middle of the download.
- Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
- Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss)
- Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0)
- Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
- Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon)
- Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign)
- Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon)
- Fixed `el.focus()` to work on SVG elements. (zjffun)
- Fixed removing the currently-focused element to move focus to the `` element. (eps1lon)
- Fixed `imgEl.complete` to return true for `` elements with empty or unset `src=""` attributes. (strager)
- Fixed `imgEl.complete` to return true if an error occurs loading the ``, when canvas is enabled. (strager)
- Fixed `imgEl.complete` to return false if the `` element's `src=""` attribute is reset. (strager)
- Fixed the `valueMissing` validation check for ``. (zjffun)
- Fixed `translate=""` and `draggable=""` attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
### [`v16.3.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1630)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.2...16.3.0)
- Added firing of `focusin` and `focusout` when using `el.focus()` and `el.blur()`. (trueadm)
- Fixed elements with the `contenteditable=""` attribute to be considered as focusable. (jamieliu386)
- Fixed `window.NodeFilter` to be per-`Window`, instead of shared across all `Window`s. (ExE-Boss)
- Fixed edge-case behavior involving use of objects with `handleEvent` properties as event listeners. (ExE-Boss)
- Fixed a second failing image load sometimes firing a `load` event instead of an `error` event, when the `canvas` package is installed. (strager)
- Fixed drawing an empty canvas into another canvas. (zjffun)
### [`v16.2.2`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1622)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.1...16.2.2)
- Updated `StyleSheetList` for better spec compliance; notably it no longer inherits from `Array.prototype`. (ExE-Boss)
- Fixed `requestAnimationFrame()` from preventing process exit. This likely regressed in v16.1.0.
- Fixed `setTimeout()` to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
- Fixed infinite recursion that could occur when calling `click()` on a `
This PR contains the following updates:
11.6.2->16.5.0GitHub Vulnerability Alerts
CVE-2021-20066
Withdrawn Advisory
This advisory has been withdrawn because the user must configure jsdom to allow access to local files.
Original Description
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0) - Added `window.queueMicrotask()`. - Added `window.event`. - Added `inputEvent.inputType`. (diegohaz) - Removed `ondragexit` from `Window` and friends, per a spec update. - Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller) - Fixed the loading of subresources from the filesystem when they had non-ASCII filenames. - Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche) - Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41). - Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value. - Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805). - Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files. - Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses. - Fixed `xhr.response` to return `null` for failures that occur during the middle of the download. - Fixed edge cases around passing callback functions or event handlers. (ExE-Boss) - Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss) - Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi) ### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0) - Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss) - Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon) - Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign) - Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon) - Fixed `el.focus()` to work on SVG elements. (zjffun) - Fixed removing the currently-focused element to move focus to the `` element. (eps1lon) - Fixed `imgEl.complete` to return true for `