JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0)
- Added `window.queueMicrotask()`.
- Added `window.event`.
- Added `inputEvent.inputType`. (diegohaz)
- Removed `ondragexit` from `Window` and friends, per a spec update.
- Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller)
- Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
- Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche)
- Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41).
- Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value.
- Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805).
- Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files.
- Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses.
- Fixed `xhr.response` to return `null` for failures that occur during the middle of the download.
- Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
- Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss)
- Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0)
- Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
- Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon)
- Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign)
- Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon)
- Fixed `el.focus()` to work on SVG elements. (zjffun)
- Fixed removing the currently-focused element to move focus to the `` element. (eps1lon)
- Fixed `imgEl.complete` to return true for `` elements with empty or unset `src=""` attributes. (strager)
- Fixed `imgEl.complete` to return true if an error occurs loading the ``, when canvas is enabled. (strager)
- Fixed `imgEl.complete` to return false if the `` element's `src=""` attribute is reset. (strager)
- Fixed the `valueMissing` validation check for ``. (zjffun)
- Fixed `translate=""` and `draggable=""` attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
### [`v16.3.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1630)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.2...16.3.0)
- Added firing of `focusin` and `focusout` when using `el.focus()` and `el.blur()`. (trueadm)
- Fixed elements with the `contenteditable=""` attribute to be considered as focusable. (jamieliu386)
- Fixed `window.NodeFilter` to be per-`Window`, instead of shared across all `Window`s. (ExE-Boss)
- Fixed edge-case behavior involving use of objects with `handleEvent` properties as event listeners. (ExE-Boss)
- Fixed a second failing image load sometimes firing a `load` event instead of an `error` event, when the `canvas` package is installed. (strager)
- Fixed drawing an empty canvas into another canvas. (zjffun)
### [`v16.2.2`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1622)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.1...16.2.2)
- Updated `StyleSheetList` for better spec compliance; notably it no longer inherits from `Array.prototype`. (ExE-Boss)
- Fixed `requestAnimationFrame()` from preventing process exit. This likely regressed in v16.1.0.
- Fixed `setTimeout()` to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
- Fixed infinite recursion that could occur when calling `click()` on a `
This PR contains the following updates:
^11.0.0->^16.0.0GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0) - Added `window.queueMicrotask()`. - Added `window.event`. - Added `inputEvent.inputType`. (diegohaz) - Removed `ondragexit` from `Window` and friends, per a spec update. - Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller) - Fixed the loading of subresources from the filesystem when they had non-ASCII filenames. - Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche) - Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41). - Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value. - Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805). - Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files. - Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses. - Fixed `xhr.response` to return `null` for failures that occur during the middle of the download. - Fixed edge cases around passing callback functions or event handlers. (ExE-Boss) - Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss) - Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi) ### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0) - Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss) - Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon) - Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign) - Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon) - Fixed `el.focus()` to work on SVG elements. (zjffun) - Fixed removing the currently-focused element to move focus to the `` element. (eps1lon) - Fixed `imgEl.complete` to return true for `