# CHANGELOG ## 6.0.4 - Add additional null byte sanitization prior to html decoding (#48) ## 6.0.3 - Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54)) ## 6.0.2 - Fix issue where urls in the form `https://example.com /something` were not properly sanitized ## 6.0.1 - Fix issue where urls in the form `javascript:alert('xss');` were not properly sanitized - Fix issue where urls in the form `javasc ript:alert('XSS');` were not properly sanitized ## 6.0.0 **Breaking Changes** - Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file ```js // decodes to javacript:alert('XSS') const vulnerableUrl = "javascript:alert('XSS')"; sanitizeUrl(vulnerableUrl); // 'about:blank' const okUrl = "https://example.com/" + vulnerableUrl; // since the javascript bit is in the path instead of the protocol // this is successfully sanitized sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS'); ``` ## 5.0.2 - Fix issue where certain invisible white space characters were not being sanitized (#35) ## 5.0.1 - Fix issue where certain safe characters were being filtered out (#31 thanks @akirchmyer) ## 5.0.0 _Breaking Changes_ - Sanitize vbscript urls (thanks @vicnicius) ## 4.1.1 - Fixup path to type declaration (closes #25) ## 4.1.0 - Add typescript types ## 4.0.1 - Fix issue where urls with accented characters were incorrectly sanitized ## 4.0.0 _Breaking Changes_ - Protocol-less urls (ie: www.example.com) will be sanitised and passed on instead of sending out `about:blank` (Thanks @chawes13 #18) ## 3.1.0 - Trim whitespace from urls ## 3.0.0 _breaking changes_ - Replace blank strings with about:blank - Replace null values with about:blank ## 2.1.0 - Allow relative urls to be sanitized ## 2.0.2 - Sanitize malicious URLs that begin with `\s` ## 2.0.1 - Sanitize malicious URLs that begin with %20 ## 2.0.0 - sanitize data: urls ## 1.0.0 - sanitize javascript: urls