| 1 | # CHANGELOG
|
|---|
| 2 |
|
|---|
| 3 | ## 7.0.0
|
|---|
| 4 |
|
|---|
| 5 | - Move constant declarations from index file to `constants.ts` file
|
|---|
| 6 | - Update to node v18
|
|---|
| 7 |
|
|---|
| 8 | - Dev Dependency Updates
|
|---|
| 9 | - Update to TypeScript 5
|
|---|
| 10 | - Other minor dependency updates
|
|---|
| 11 |
|
|---|
| 12 | ## 6.0.4
|
|---|
| 13 |
|
|---|
| 14 | - Add additional null byte sanitization prior to html decoding (#48)
|
|---|
| 15 |
|
|---|
| 16 | ## 6.0.3
|
|---|
| 17 |
|
|---|
| 18 | - Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))
|
|---|
| 19 |
|
|---|
| 20 | ## 6.0.2
|
|---|
| 21 |
|
|---|
| 22 | - Fix issue where urls in the form `https://example.com

/something` were not properly sanitized
|
|---|
| 23 |
|
|---|
| 24 | ## 6.0.1
|
|---|
| 25 |
|
|---|
| 26 | - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized
|
|---|
| 27 | - Fix issue where urls in the form `javasc	ript:alert('XSS');` were not properly sanitized
|
|---|
| 28 |
|
|---|
| 29 | ## 6.0.0
|
|---|
| 30 |
|
|---|
| 31 | **Breaking Changes**
|
|---|
| 32 |
|
|---|
| 33 | - Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
|
|---|
| 34 |
|
|---|
| 35 | ```js
|
|---|
| 36 | // decodes to javacript:alert('XSS')
|
|---|
| 37 | const vulnerableUrl =
|
|---|
| 38 | "javascript:alert('XSS')";
|
|---|
| 39 |
|
|---|
| 40 | sanitizeUrl(vulnerableUrl); // 'about:blank'
|
|---|
| 41 |
|
|---|
| 42 | const okUrl = "https://example.com/" + vulnerableUrl;
|
|---|
| 43 |
|
|---|
| 44 | // since the javascript bit is in the path instead of the protocol
|
|---|
| 45 | // this is successfully sanitized
|
|---|
| 46 | sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
|
|---|
| 47 | ```
|
|---|
| 48 |
|
|---|
| 49 | ## 5.0.2
|
|---|
| 50 |
|
|---|
| 51 | - Fix issue where certain invisible white space characters were not being sanitized (#35)
|
|---|
| 52 |
|
|---|
| 53 | ## 5.0.1
|
|---|
| 54 |
|
|---|
| 55 | - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
|
|---|
| 56 |
|
|---|
| 57 | ## 5.0.0
|
|---|
| 58 |
|
|---|
| 59 | _Breaking Changes_
|
|---|
| 60 |
|
|---|
| 61 | - Sanitize vbscript urls (thanks @vicnicius)
|
|---|
| 62 |
|
|---|
| 63 | ## 4.1.1
|
|---|
| 64 |
|
|---|
| 65 | - Fixup path to type declaration (closes #25)
|
|---|
| 66 |
|
|---|
| 67 | ## 4.1.0
|
|---|
| 68 |
|
|---|
| 69 | - Add typescript types
|
|---|
| 70 |
|
|---|
| 71 | ## 4.0.1
|
|---|
| 72 |
|
|---|
| 73 | - Fix issue where urls with accented characters were incorrectly sanitized
|
|---|
| 74 |
|
|---|
| 75 | ## 4.0.0
|
|---|
| 76 |
|
|---|
| 77 | _Breaking Changes_
|
|---|
| 78 |
|
|---|
| 79 | - Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18)
|
|---|
| 80 |
|
|---|
| 81 | ## 3.1.0
|
|---|
| 82 |
|
|---|
| 83 | - Trim whitespace from urls
|
|---|
| 84 |
|
|---|
| 85 | ## 3.0.0
|
|---|
| 86 |
|
|---|
| 87 | _breaking changes_
|
|---|
| 88 |
|
|---|
| 89 | - Replace blank strings with about:blank
|
|---|
| 90 | - Replace null values with about:blank
|
|---|
| 91 |
|
|---|
| 92 | ## 2.1.0
|
|---|
| 93 |
|
|---|
| 94 | - Allow relative urls to be sanitized
|
|---|
| 95 |
|
|---|
| 96 | ## 2.0.2
|
|---|
| 97 |
|
|---|
| 98 | - Sanitize malicious URLs that begin with `\s`
|
|---|
| 99 |
|
|---|
| 100 | ## 2.0.1
|
|---|
| 101 |
|
|---|
| 102 | - Sanitize malicious URLs that begin with %20
|
|---|
| 103 |
|
|---|
| 104 | ## 2.0.0
|
|---|
| 105 |
|
|---|
| 106 | - sanitize data: urls
|
|---|
| 107 |
|
|---|
| 108 | ## 1.0.0
|
|---|
| 109 |
|
|---|
| 110 | - sanitize javascript: urls
|
|---|
