DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @offset & @Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @offset & @Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @DEMON1A
• Added stronger checks for cross-realm windows, thanks @DEMON1A & @fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here:
https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth
• Bumped and removed several dependencies, thanks @Rotzbua
• Fixed the test suite after bumping dependencies, thanks @Rotzbua