Skip to content

v2.1.1
Compare
Choose a tag to compare
@rgrove rgrove released this 30 Sep 20:48
v2.1.1
8dc3dca

  • CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS (backported from Sanitize 4.6.3). @dometto - #188

    When Sanitize <= 2.1.0 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

    Sanitize now performs additional escaping on affected attributes to prevent this.

    Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

Assets 2
Loading