Skip to content
/ html-sanitizer Public

v7.4.13

Choose a tag to compare

View all tags
@fabpot fabpot released this 27 May 08:45
· 31 commits to 8.2 since this release
v7.4.13
This tag was signed with the committer’s verified signature.
fabpot Fabien Potencier
SSH Key Fingerprint: 2Epes5EqLalzBuDpYoQuproz9c57CsymvlzEGYtOXJw
Verified
Learn about vigilant mode.
761f6c4

Changelog (v7.4.12...v7.4.13)

  • security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

Contributors

nicolas-grekas
Assets 2
Loading