Breaking
-
Security Fix: Ensure
escalways returns a string: 58a5c36
NOTE: This should only be a breaking change if you usedescdirectly.
Previously, any non-stringinput was returned as is. Now, everything is returned as a string.
This change prevents XSS attacks within Array values:let html = '<div>' + tempura.esc(['<img src=x onerror="alert(1)" />']) + '<div>'; // before: '<div><img src=x onerror="alert(1)" /></div>' // after: '<div><img src=x onerror="alert(1)" /></div>'
Full Changelog: v0.3.2...v0.4.0