CHANGELOG
6.0.4
- Add additional null byte sanitization prior to html decoding (#48)
6.0.3
- Add null check to beginning of
sanitizeUrlfunction (#54)
6.0.2
- Fix issue where urls in the form
https://example.com

/somethingwere not properly sanitized
6.0.1
- Fix issue where urls in the form
javascript:alert('xss');were not properly sanitized - Fix issue where urls in the form
javasc	ript:alert('XSS');were not properly sanitized
6.0.0
Breaking Changes
- Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file
// decodes to javacript:alert('XSS')
const vulnerableUrl =
"javascript:alert('XSS')";
sanitizeUrl(vulnerableUrl); // 'about:blank'
const okUrl = "https://example.com/" + vulnerableUrl;
// since the javascript bit is in the path instead of the protocol
// this is successfully sanitized
sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');
5.0.2
- Fix issue where certain invisible white space characters were not being sanitized (#35)
5.0.1
- Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer)
5.0.0
Breaking Changes
- Sanitize vbscript urls (thanks @vicnicius)
4.1.1
- Fixup path to type declaration (closes #25)
4.1.0
- Add typescript types
4.0.1
- Fix issue where urls with accented characters were incorrectly sanitized
4.0.0
Breaking Changes
- Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out
about:blank(Thanks @chawes13 #18)
3.1.0
- Trim whitespace from urls
3.0.0
breaking changes
- Replace blank strings with about:blank
- Replace null values with about:blank
2.1.0
- Allow relative urls to be sanitized
2.0.2
- Sanitize malicious URLs that begin with
\s
2.0.1
- Sanitize malicious URLs that begin with %20
2.0.0
- sanitize data: urls
1.0.0
- sanitize javascript: urls