Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3.3.3
Choose a base ref
...
head repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3.4.1
Choose a head ref
  • 3 commits
  • 49 files changed
  • 9 contributors

Commits on Apr 14, 2026

  1. Getting 3.x branch ready for 3.4.0 release (#1250) 

    * build(deps): bump @tootallnate/once and jsdom (#1214)

Removes [@tootallnate/once](https://github.com/TooTallNate/once). It's no longer used after updating ancestor dependency [jsdom](https://github.com/jsdom/jsdom). These dependencies need to be updated together.


Removes `@tootallnate/once`

Updates `jsdom` from 20.0.3 to 28.1.0
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](jsdom/jsdom@20.0.3...28.1.0)

---
updated-dependencies:
- dependency-name: "@tootallnate/once"
  dependency-version: 
  dependency-type: indirect
- dependency-name: jsdom
  dependency-version: 28.1.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump serialize-javascript and @rollup/plugin-terser (#1213)

Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together.


Updates `serialize-javascript` from 6.0.2 to 7.0.4
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.4)

Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.4
  dependency-type: indirect
- dependency-name: "@rollup/plugin-terser"
  dependency-version: 1.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: Fixed a problem with the type defition patcher after Node version bump

* build(deps-dev): bump undici from 7.23.0 to 7.24.1 (#1216)

Bumps [undici](https://github.com/nodejs/undici) from 7.23.0 to 7.24.1.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.23.0...v7.24.1)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.24.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#1218)

Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2.
- [Commits](WebReflection/flatted@v3.4.1...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* test: Added more browser launchers to stay up-to-date

* test: Testing whether the Browser Stack "latest" labels work

* test: Expanded range of tested Node versions into both directions

* fix: Removed Node 26 test target again, not available yet

* fix: Removed Node 16 test target as it breaks

* Update README.md (#1222)

* build(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 (#1223)

Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.4 to 7.0.5.
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v7.0.4...v7.0.5)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump lodash from 4.17.23 to 4.18.1 (#1228)

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#1225)

Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version: 4.18.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Create scorecard.yml

* fix: FORBID_TAGS must win over ADD_TAGS function predicate (#1230)

Mirrors the FORBID_ATTR early-exit pattern (c361baa, line 1214) for
FORBID_TAGS. When EXTRA_ELEMENT_HANDLING.tagCheck is a function that
returns true, the short-circuit evaluation previously skipped the
FORBID_TAGS check, allowing forbidden elements through.

Moves FORBID_TAGS[tagName] to an OR at the top of the condition so the
removal block is always entered for forbidden tags regardless of the
tagCheck predicate result.

* Update build-and-test.yml

* [StepSecurity] Apply security best practices (#1231)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* build(deps-dev): bump jsdom from 28.1.0 to 29.0.2 (#1240)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 28.1.0 to 29.0.2.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](jsdom/jsdom@v28.1.0...v29.0.2)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump rollup-plugin-dts from 6.4.0 to 6.4.1 (#1239)

Bumps [rollup-plugin-dts](https://github.com/Swatinem/rollup-plugin-dts) from 6.4.0 to 6.4.1.
- [Changelog](https://github.com/Swatinem/rollup-plugin-dts/blob/master/CHANGELOG.md)
- [Commits](Swatinem/rollup-plugin-dts@v6.4.0...v6.4.1)

---
updated-dependencies:
- dependency-name: rollup-plugin-dts
  dependency-version: 6.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump cross-env from 7.0.3 to 10.1.0 (#1238)

Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0.
- [Release notes](https://github.com/kentcdodds/cross-env/releases)
- [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md)
- [Commits](kentcdodds/cross-env@v7.0.3...v10.1.0)

---
updated-dependencies:
- dependency-name: cross-env
  dependency-version: 10.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.1 (#1237)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.1 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@4cec3d8...043fb46)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump @rollup/plugin-node-resolve from 15.3.1 to 16.0.3 (#1236)

Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 15.3.1 to 16.0.3.
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve)

---
updated-dependencies:
- dependency-name: "@rollup/plugin-node-resolve"
  dependency-version: 16.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1235)

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@f49aabe...4eaacf0)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#1234)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4.2.2...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump @babel/preset-env from 7.29.0 to 7.29.2 (#1233)

Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.29.0 to 7.29.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-preset-env)

---
updated-dependencies:
- dependency-name: "@babel/preset-env"
  dependency-version: 7.29.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#1232)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3.35.1...c10b806)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added CONTRIBUTIONS.md

* chore: Regenerated dist versions

* fix: added osv-scanner.toml to ignore flagged deps

* chore: update build-and-test.yml to get rid of a warning

* docs: update README.md with OSF results

* docs: update build-and-test.yml name

* docs: update README.md badges

* test: removed nine really old browsers from karma tests

* fix: apply SAFE_FOR_TEMPLATES scrub in RETURN_DOM path (#1241)

The RETURN_DOM path returns before the final template expression
scrub, allowing split mustache expressions to reconstruct after
element removal. Normalize adjacent text nodes and scrub body
before building the return node.

Co-authored-by: Developer <dev@devcontainer.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: prevent ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls (#1242)

When sanitize() is called with ADD_ATTR or ADD_TAGS as a function, the
function reference is stored in EXTRA_ELEMENT_HANDLING. A subsequent call
that passes ADD_ATTR/ADD_TAGS as an array did not clear the stored function
because objectHasOwnProperty(cfg, 'ADD_ATTR') returned true, skipping the
conditional reset.

The leaked function is evaluated before URI/tag checks, so a permissive
function (returning true) lets dangerous attributes (e.g. javascript: URIs)
or forbidden tags (e.g. iframe) through on later calls.

Fix: unconditionally reset tagCheck/attributeCheck to null on every
_parseConfig() call, then only set them if the current config provides a
function. This ensures no cross-call leakage.

Includes regression tests for both ADD_ATTR and ADD_TAGS leakage scenarios.

* test: reduced number of tested browsers again to be at 24

* Fix mathML attributes (#1243)

* test: reducing BS browser array once more to get unstuck

* test: temporarily reduced browser test array to four main items :-(

* build(deps-dev): bump eslint-config-prettier from 8.10.2 to 10.1.8 (#1244)

Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 8.10.2 to 10.1.8.
- [Release notes](https://github.com/prettier/eslint-config-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-config-prettier/commits/v10.1.8)

---
updated-dependencies:
- dependency-name: eslint-config-prettier
  dependency-version: 10.1.8
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump rollup from 3.30.0 to 4.60.1 (#1246)

Bumps [rollup](https://github.com/rollup/rollup) from 3.30.0 to 4.60.1.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v3.30.0...v4.60.1)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#1249)

Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* test: carefully expanded array of tested BS browsers again

* test: experimenting with new BS config to avoid the freezes
test: removed two Safari versions as they might be the cause
docs: updated version numbers for upcoming release

* test: reverted to old BS config values as they worked better

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: kodareef5 <kodareef5@gmail.com>
Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: bencalif <ben@calif.io>
Co-authored-by: Developer <dev@devcontainer.local>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: 1Jesper1 <1jesper1@gmail.com>
Co-authored-by: David Oliver <github_0UEMJhIUyGLn7@doliver.co.uk>
    @cure53 @dependabot
    @kodareef5 @step-security-bot @bencalif @claude @1Jesper1 @DavidOliver
    9 people authored Apr 14, 2026
    Configuration menu
    Copy the full SHA
    5b16e0b View commit details
    Browse the repository at this point in the history

  2. test: added three more browsers to test setup (OSX, mobile)

    @cure53
    cure53 committed Apr 14, 2026
    Configuration menu
    Copy the full SHA
    09f5911 View commit details
    Browse the repository at this point in the history

Commits on Apr 21, 2026

  1. chore: merge main into 3.x for 3.4.1 release (#1301) 

    * chore: merge main into 3.x for 3.4.1 release
* ci: run CodeQL on 2.x and 3.x branches
    @cure53
    cure53 authored Apr 21, 2026
    Configuration menu
    Copy the full SHA
    5b0cdbb View commit details
    Browse the repository at this point in the history
Loading