DOMPurify 2.0.16
·
1022 commits
to main
since this release
- Fixed an mXSS-based bypass caused by nested forms inside MathML
- Fixed a security error thrown on older Chrome on Android versions, see #470
Credits for the bypass go to Michał Bentkowski (@securityMB) of Securitum who spotted the bug in Chrome, turned it into another DOMPurify bypass, reported and helped verifying the fix 🙇♂️ 🙇♀️