From f8e02be9fc3ea639edccfcaa50c6e71a22b2c068 Mon Sep 17 00:00:00 2001 From: boutell Date: Thu, 22 Feb 2024 11:30:42 -0500 Subject: [PATCH] release 2.12.1 --- CHANGELOG.md | 4 ++++ package.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4a19bc..bf3ace9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 2.12.1 (2024-02-22) + +- Do not parse sourcemaps in `post-css`. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the `style` attribute is allowed by the configuration. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix. + ## 2.12.0 (2024-02-21) - Introduced the `allowedEmptyAttributes` option, enabling explicit specification of empty string values for select attributes, with the default attribute set to `alt`. Thanks to [Na](https://github.com/zhna123) for the contribution. diff --git a/package.json b/package.json index bd910c6..2e314c2 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "sanitize-html", - "version": "2.12.0", + "version": "2.12.1", "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis", "sideEffects": false, "main": "index.js",