apostrophecms/sanitize-html (sanitize-html)
### [`v2.12.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2121-2024-02-22)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/5a5a74e179ef98075a0c61789f64e009f6b4ac29...2.12.1)
- Do not parse sourcemaps in `post-css`. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the `style` attribute is allowed by the configuration. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix.
### [`v2.12.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2120-2024-02-21)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.11.0...5a5a74e179ef98075a0c61789f64e009f6b4ac29)
- Introduced the `allowedEmptyAttributes` option, enabling explicit specification of empty string values for select attributes, with the default attribute set to `alt`. Thanks to [Na](https://togithub.com/zhna123) for the contribution.
- Clarified the use of SVGs with a new test and changes to documentation. Thanks to [Gauav Kumar](https://togithub.com/gkumar9891) for the contribution.
### [`v2.11.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2110-2023-06-21)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.10.0...2.11.0)
- Fix to allow `false` in `allowedClasses` attributes. Thanks to [Kevin Jiang](https://togithub.com/KevinSJ) for this fix!
- Upgrade mocha version
- Apply small linter fixes in tests
- Add `.idea` temp files to `.gitignore`
- Thanks to [Vitalii Shpital](https://togithub.com/VitaliiShpital) for the updates!
- Show parseStyleAttributes warning in browser only. Thanks to [mog422](https://togithub.com/mog422) for this update!
- Remove empty non-boolean attributes via an exhaustive, configurable list of known non-boolean attributes. [Thanks to Dylan Armstrong](https://togithub.com/dylanarmstrong) for this update!
### [`v2.10.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2100-2023-02-17)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.9.0...2.10.0)
- Fix auto-adding escaped closing tags. In other words, do not add implied closing tags to disallowed tags when `disallowedTagMode` is set to any variant of `escape` -- just escape the disallowed tags that are present. This fixes [issue #464](https://togithub.com/apostrophecms/sanitize-html/issues/464). Thanks to [Daniel Liebner](https://togithub.com/dliebner)
- Add `tagAllowed()` helper function which takes a tag name and checks it against `options.allowedTags` and returns `true` if the tag is allowed and `false` if it is not.
### [`v2.9.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#290-2023-01-27)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.8.1...2.9.0)
- Add option parseStyleAttributes to skip style parsing. This fixes [issue #547](https://togithub.com/apostrophecms/sanitize-html/issues/547). Thanks to [Bert Verhelst](https://togithub.com/bertyhell).
### [`v2.8.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#281-2022-12-21)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.8.0...2.8.1)
- If the argument is a number, convert it to a string, for backwards compatibility. Thanks to [Alexander Schranz](https://togithub.com/alexander-schranz).
### [`v2.8.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#280-2022-12-12)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.3...2.8.0)
- Upgrades `htmlparser2` to new major version `^8.0.0`. Thanks to [Kedar Chandrayan](https://togithub.com/kedarchandrayan) for this contribution.
### [`v2.7.3`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#273-2022-10-24)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.2...2.7.3)
- If allowedTags is falsy but not exactly `false`, then do not assume that all tags are allowed. Rather, allow no tags in this case, to be on the safe side. This matches the existing documentation and fixes [issue #176](https://togithub.com/apostrophecms/sanitize-html/issues/176). Thanks to [Kedar Chandrayan](https://togithub.com/kedarchandrayan) for the fix.
### [`v2.7.2`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#272-2022-09-15)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.1...2.7.2)
- Closing tags must agree with opening tags. This fixes [issue #549](https://togithub.com/apostrophecms/sanitize-html/issues/549), in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to
[Kedar Chandrayan](https://togithub.com/kedarchandrayan) for the report and the fix.
### [`v2.7.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#271-2022-07-20)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.0...2.7.1)
- Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://togithub.com/paweljq).
- A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.
### [`v2.7.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#270-2022-02-04)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.6.1...2.7.0)
- Allows a more sensible set of default attributes on `` tags. Thanks to [Zade Viggers](https://togithub.com/zadeviggers).
### [`v2.6.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#261-2021-12-08)
[Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.6.0...2.6.1)
- Fixes style filtering to retain `!important` when used.
- Fixed trailing text bug on `transformTags` options that was reported on [issue #506](https://togithub.com/apostrophecms/sanitize-html/issues/506). Thanks to [Alex Rantos](https://togithub.com/alex-rantos).
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.6.0->2.12.1Release Notes
apostrophecms/sanitize-html (sanitize-html)
### [`v2.12.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2121-2024-02-22) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/5a5a74e179ef98075a0c61789f64e009f6b4ac29...2.12.1) - Do not parse sourcemaps in `post-css`. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the `style` attribute is allowed by the configuration. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix. ### [`v2.12.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2120-2024-02-21) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.11.0...5a5a74e179ef98075a0c61789f64e009f6b4ac29) - Introduced the `allowedEmptyAttributes` option, enabling explicit specification of empty string values for select attributes, with the default attribute set to `alt`. Thanks to [Na](https://togithub.com/zhna123) for the contribution. - Clarified the use of SVGs with a new test and changes to documentation. Thanks to [Gauav Kumar](https://togithub.com/gkumar9891) for the contribution. ### [`v2.11.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2110-2023-06-21) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.10.0...2.11.0) - Fix to allow `false` in `allowedClasses` attributes. Thanks to [Kevin Jiang](https://togithub.com/KevinSJ) for this fix! - Upgrade mocha version - Apply small linter fixes in tests - Add `.idea` temp files to `.gitignore` - Thanks to [Vitalii Shpital](https://togithub.com/VitaliiShpital) for the updates! - Show parseStyleAttributes warning in browser only. Thanks to [mog422](https://togithub.com/mog422) for this update! - Remove empty non-boolean attributes via an exhaustive, configurable list of known non-boolean attributes. [Thanks to Dylan Armstrong](https://togithub.com/dylanarmstrong) for this update! ### [`v2.10.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#2100-2023-02-17) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.9.0...2.10.0) - Fix auto-adding escaped closing tags. In other words, do not add implied closing tags to disallowed tags when `disallowedTagMode` is set to any variant of `escape` -- just escape the disallowed tags that are present. This fixes [issue #464](https://togithub.com/apostrophecms/sanitize-html/issues/464). Thanks to [Daniel Liebner](https://togithub.com/dliebner) - Add `tagAllowed()` helper function which takes a tag name and checks it against `options.allowedTags` and returns `true` if the tag is allowed and `false` if it is not. ### [`v2.9.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#290-2023-01-27) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.8.1...2.9.0) - Add option parseStyleAttributes to skip style parsing. This fixes [issue #547](https://togithub.com/apostrophecms/sanitize-html/issues/547). Thanks to [Bert Verhelst](https://togithub.com/bertyhell). ### [`v2.8.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#281-2022-12-21) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.8.0...2.8.1) - If the argument is a number, convert it to a string, for backwards compatibility. Thanks to [Alexander Schranz](https://togithub.com/alexander-schranz). ### [`v2.8.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#280-2022-12-12) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.3...2.8.0) - Upgrades `htmlparser2` to new major version `^8.0.0`. Thanks to [Kedar Chandrayan](https://togithub.com/kedarchandrayan) for this contribution. ### [`v2.7.3`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#273-2022-10-24) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.2...2.7.3) - If allowedTags is falsy but not exactly `false`, then do not assume that all tags are allowed. Rather, allow no tags in this case, to be on the safe side. This matches the existing documentation and fixes [issue #176](https://togithub.com/apostrophecms/sanitize-html/issues/176). Thanks to [Kedar Chandrayan](https://togithub.com/kedarchandrayan) for the fix. ### [`v2.7.2`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#272-2022-09-15) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.1...2.7.2) - Closing tags must agree with opening tags. This fixes [issue #549](https://togithub.com/apostrophecms/sanitize-html/issues/549), in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to [Kedar Chandrayan](https://togithub.com/kedarchandrayan) for the report and the fix. ### [`v2.7.1`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#271-2022-07-20) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.7.0...2.7.1) - Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://togithub.com/paweljq). - A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue. ### [`v2.7.0`](https://togithub.com/apostrophecms/sanitize-html/blob/HEAD/CHANGELOG.md#270-2022-02-04) [Compare Source](https://togithub.com/apostrophecms/sanitize-html/compare/2.6.1...2.7.0) - Allows a more sensible set of default attributes on `Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.