Skip to content

v0.4.0

Latest
Compare
Choose a tag to compare
@lukeed lukeed released this 26 Oct 15:21

Breaking

  • Security Fix: Ensure esc always returns a string: 58a5c36
    NOTE: This should only be a breaking change if you used esc directly.
    Previously, any non-string input was returned as is. Now, everything is returned as a string.
    This change prevents XSS attacks within Array values:

    let html = '<div>' + tempura.esc(['<img src=x onerror="alert(1)" />']) + '<div>';
    // before: '<div><img src=x onerror="alert(1)" /></div>'
    // after: '<div>&ltimg src=x onerror=&quot;alert(1)&quot; /></div>'

Full Changelog: v0.3.2...v0.4.0