Skip to content

DOMPurify 2.0.16

Choose a tag to compare
@cure53 cure53 released this 18 Sep 12:30
· 519 commits to main since this release
  • Fixed an mXSS-based bypass caused by nested forms inside MathML
  • Fixed a security error thrown on older Chrome on Android versions, see #470

Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇‍♂️ 🙇‍♀️