Download Latest Version 3.4.2.tar.gz (348.8 kB)
Email in envelope

Get an email when there's a new version of DOMPurify

Home / 3.4.1
Name Modified Size InfoDownloads / Week
Parent folder
DOMPurify-3.4.1.zip.asc 2026-04-21 488 Bytes
0
DOMPurify-3.4.1.tar.gz.asc 2026-04-21 488 Bytes
0
DOMPurify 3.4.1 source code.tar.gz 2026-04-21 284.6 kB
0
DOMPurify 3.4.1 source code.zip 2026-04-21 320.4 kB
0
README.md 2026-04-21 1.2 kB
0
Totals: 5 Items   607.1 kB 0
  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches
Source: README.md, updated 2026-04-21