2.10.1

neikiri released this 18 May 18:23

· 16 commits to main since this release

3c5271f

2.10.1

Fixed

HTML Sanitizer XSS Vulnerability — fixed a cross-site scripting (XSS) vulnerability in the sanitizer's entity decoding logic
Replaced innerHTML-based entity decoding with a safe regex-based implementation that never parses HTML
Added safe support for:
- named entities such as &, <, >, ", ', and  
- numeric entities like {
- hexadecimal entities like 💩

Security

Eliminated HTML parsing during entity decoding to reduce XSS attack surface
Hardened sanitizer internals against malicious entity-based payloads

Full Changelog: 2.10.0...2.10.1

Assets 2