Skip to content
/ html-sanitizer Public

v8.0.13

Choose a tag to compare

View all tags
@fabpot fabpot released this 27 May 10:31
· 13 commits to 8.1 since this release
v8.0.13
This tag was signed with the committer’s verified signature.
fabpot Fabien Potencier
SSH Key Fingerprint: 2Epes5EqLalzBuDpYoQuproz9c57CsymvlzEGYtOXJw
Verified
Learn about vigilant mode.
6f9a782

Changelog (v8.0.12...v8.0.13)

  • security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
  • security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
  • bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

Contributors

nicolas-grekas
Assets 2
Loading