Skip to content

v6.0.2
Compare
Choose a tag to compare
@rgrove rgrove released this 06 Jul 14:57
· 11 commits to main since this release
v6.0.2
76ed46e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Bug Fixes

  • CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

    When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

    See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

    Thanks to @cure53 for finding this issue.

Contributors

cure53
Assets 2
0 Join discussion