v8.1.0

Changelog (v8.1.0-RC1...v8.1.0)

• no significant changes

v8.1.0-RC1

Changelog (v8.1.0-BETA3...v8.1.0-RC1)

• security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
• security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
• bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

v8.0.13

Changelog (v8.0.12...v8.0.13)

• security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
• security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
• bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

v7.4.13

Changelog (v7.4.12...v7.4.13)

• security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
• security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
• bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

v6.4.41

Changelog (v6.4.40...v6.4.41)

• security #cve-2026-48761 Sanitize URL attributes on , , <iframe>, , and the URL inside content (@nicolas-grekas)
• security #cve-2026-48760 Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
• bug #64342 Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)

v8.1.0-BETA3

Changelog (v8.1.0-BETA1...v8.1.0-BETA3)

• security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
• security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
• security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)

v8.0.12

Changelog (v8.0.7...v8.0.12)

• security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
• security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
• security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)

v7.4.12

Changelog (v7.4.7...v7.4.12)

• security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
• security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
• security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)

v6.4.40

Changelog (v6.4.35...v6.4.40)

• security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
• security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
• security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)

v8.1.0-BETA1

Create tag v8.1.0-BETA1