3.1.2
A maintenance release: reflected-XSS false-positive fixes, stricter URL-scheme handling, async server / MCP resource-safety, and documentation accuracy fixes.
Fixed
- Reject non-
http(s)URL schemes outright instead of mangling them into malformed targets. - Suppressed a false
[R]forjavascript:WAF strip-mutations reflected in inert contexts, and a false[V]foron*handlers on<input type="hidden">. Fixes #1183. - Resource-safety, REST / MCP parity, and hot-path performance fixes across the async scan front-ends — bounded worker leaks, reclaimed job slots, and aligned server / MCP options. Fixes #1190.
Performance & Reliability
- Bounded query-discovery memory with a chunked spawn-and-drain, capping live-task memory during parameter mining.
Documentation
- Clarified that
--scan-timeoutcaps only the injection stage, and corrected the MCP encoder list (#1182), theserverflag table (#1175), the Google Frontend WAF confidence value (#1181), and the URI-scheme payload example (#1174). - Version-bump tooling now keeps the installation guide's
dalfox <version>example in lockstep, fixing the stale sample (#1180).
New Contributors
- @bonanza127 made their first contribution in #1173
- @MeGaurav4 made their first contribution in #1178
- @MaxwellM34 made their first contribution in #1179
- @TrueNix made their first contribution in #1180
Full Changelog: v3.1.1...v3.1.2