Skip to content
/ html-sanitizer Public

v6.4.41

Choose a tag to compare

View all tags
@fabpot fabpot released this 27 May 08:30
· 77 commits to 8.2 since this release
v6.4.41
This tag was signed with the committer’s verified signature.
fabpot Fabien Potencier
SSH Key Fingerprint: 2Epes5EqLalzBuDpYoQuproz9c57CsymvlzEGYtOXJw
Verified
Learn about vigilant mode.
fba29d9

Changelog (v6.4.40...v6.4.41)

  • security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

Contributors

nicolas-grekas
Assets 2
Loading