Comparing changes

@1Jesper1

* build(deps): bump @tootallnate/once and jsdom (#1214) Removes [@tootallnate/once](https://github.com/TooTallNate/once). It's no longer used after updating ancestor dependency [jsdom](https://github.com/jsdom/jsdom). These dependencies need to be updated together. Removes `@tootallnate/once` Updates `jsdom` from 20.0.3 to 28.1.0 - [Release notes](https://github.com/jsdom/jsdom/releases) - [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md) - [Commits](jsdom/jsdom@20.0.3...28.1.0) --- updated-dependencies: - dependency-name: "@tootallnate/once" dependency-version: dependency-type: indirect - dependency-name: jsdom dependency-version: 28.1.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump serialize-javascript and @rollup/plugin-terser (#1213) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together. Updates `serialize-javascript` from 6.0.2 to 7.0.4 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.4) Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0 - [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.4 dependency-type: indirect - dependency-name: "@rollup/plugin-terser" dependency-version: 1.0.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: Fixed a problem with the type defition patcher after Node version bump * build(deps-dev): bump undici from 7.23.0 to 7.24.1 (#1216) Bumps [undici](https://github.com/nodejs/undici) from 7.23.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.23.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#1218) Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2. - [Commits](WebReflection/flatted@v3.4.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: Added more browser launchers to stay up-to-date * test: Testing whether the Browser Stack "latest" labels work * test: Expanded range of tested Node versions into both directions * fix: Removed Node 26 test target again, not available yet * fix: Removed Node 16 test target as it breaks * Update README.md (#1222) * build(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 (#1223) Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) from 7.0.4 to 7.0.5. - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v7.0.4...v7.0.5) --- updated-dependencies: - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump lodash from 4.17.23 to 4.18.1 (#1228) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#1225) Bumps [lodash-es](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash-es dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Create scorecard.yml * fix: FORBID_TAGS must win over ADD_TAGS function predicate (#1230) Mirrors the FORBID_ATTR early-exit pattern (c361baa, line 1214) for FORBID_TAGS. When EXTRA_ELEMENT_HANDLING.tagCheck is a function that returns true, the short-circuit evaluation previously skipped the FORBID_TAGS check, allowing forbidden elements through. Moves FORBID_TAGS[tagName] to an OR at the top of the condition so the removal block is always entered for forbidden tags regardless of the tagCheck predicate result. * Update build-and-test.yml * [StepSecurity] Apply security best practices (#1231) Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * build(deps-dev): bump jsdom from 28.1.0 to 29.0.2 (#1240) Bumps [jsdom](https://github.com/jsdom/jsdom) from 28.1.0 to 29.0.2. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v28.1.0...v29.0.2) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.0.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup-plugin-dts from 6.4.0 to 6.4.1 (#1239) Bumps [rollup-plugin-dts](https://github.com/Swatinem/rollup-plugin-dts) from 6.4.0 to 6.4.1. - [Changelog](https://github.com/Swatinem/rollup-plugin-dts/blob/master/CHANGELOG.md) - [Commits](Swatinem/rollup-plugin-dts@v6.4.0...v6.4.1) --- updated-dependencies: - dependency-name: rollup-plugin-dts dependency-version: 6.4.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump cross-env from 7.0.3 to 10.1.0 (#1238) Bumps [cross-env](https://github.com/kentcdodds/cross-env) from 7.0.3 to 10.1.0. - [Release notes](https://github.com/kentcdodds/cross-env/releases) - [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md) - [Commits](kentcdodds/cross-env@v7.0.3...v10.1.0) --- updated-dependencies: - dependency-name: cross-env dependency-version: 10.1.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-artifact from 4.6.1 to 7.0.1 (#1237) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.1 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@4cec3d8...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @rollup/plugin-node-resolve from 15.3.1 to 16.0.3 (#1236) Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 15.3.1 to 16.0.3. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.3/packages/node-resolve) --- updated-dependencies: - dependency-name: "@rollup/plugin-node-resolve" dependency-version: 16.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1235) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.1 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...4eaacf0) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/checkout from 4.2.2 to 6.0.2 (#1234) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @babel/preset-env from 7.29.0 to 7.29.2 (#1233) Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.29.0 to 7.29.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-preset-env) --- updated-dependencies: - dependency-name: "@babel/preset-env" dependency-version: 7.29.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.35.1 to 4.35.1 (#1232) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.35.1 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3.35.1...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added CONTRIBUTIONS.md * chore: Regenerated dist versions * fix: added osv-scanner.toml to ignore flagged deps * chore: update build-and-test.yml to get rid of a warning * docs: update README.md with OSF results * docs: update build-and-test.yml name * docs: update README.md badges * test: removed nine really old browsers from karma tests * fix: apply SAFE_FOR_TEMPLATES scrub in RETURN_DOM path (#1241) The RETURN_DOM path returns before the final template expression scrub, allowing split mustache expressions to reconstruct after element removal. Normalize adjacent text nodes and scrub body before building the return node. Co-authored-by: Developer <dev@devcontainer.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: prevent ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls (#1242) When sanitize() is called with ADD_ATTR or ADD_TAGS as a function, the function reference is stored in EXTRA_ELEMENT_HANDLING. A subsequent call that passes ADD_ATTR/ADD_TAGS as an array did not clear the stored function because objectHasOwnProperty(cfg, 'ADD_ATTR') returned true, skipping the conditional reset. The leaked function is evaluated before URI/tag checks, so a permissive function (returning true) lets dangerous attributes (e.g. javascript: URIs) or forbidden tags (e.g. iframe) through on later calls. Fix: unconditionally reset tagCheck/attributeCheck to null on every _parseConfig() call, then only set them if the current config provides a function. This ensures no cross-call leakage. Includes regression tests for both ADD_ATTR and ADD_TAGS leakage scenarios. * test: reduced number of tested browsers again to be at 24 * Fix mathML attributes (#1243) * test: reducing BS browser array once more to get unstuck * test: temporarily reduced browser test array to four main items :-( * build(deps-dev): bump eslint-config-prettier from 8.10.2 to 10.1.8 (#1244) Bumps [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) from 8.10.2 to 10.1.8. - [Release notes](https://github.com/prettier/eslint-config-prettier/releases) - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/eslint-config-prettier/commits/v10.1.8) --- updated-dependencies: - dependency-name: eslint-config-prettier dependency-version: 10.1.8 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump rollup from 3.30.0 to 4.60.1 (#1246) Bumps [rollup](https://github.com/rollup/rollup) from 3.30.0 to 4.60.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v3.30.0...v4.60.1) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#1249) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) --- updated-dependencies: - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test: carefully expanded array of tested BS browsers again * test: experimenting with new BS config to avoid the freezes test: removed two Safari versions as they might be the cause docs: updated version numbers for upcoming release * test: reverted to old BS config values as they worked better * Update LICENSE (#1254) * test: added three more browsers to test array (OSX, mobile) * Update karma.custom-launchers.config.js (#1256) * docs: updated list of contributors and fixed some outdated docs (#1257) * Update README.md (#1258) * test: added first scaffold for a simple data type and config fuzzer * test: added first scaffold for a simple data type and config fuzzer (#1259) * build(deps-dev): bump @rollup/plugin-babel from 6.1.0 to 7.0.0 (#1264) Bumps [@rollup/plugin-babel](https://github.com/rollup/plugins/tree/HEAD/packages/babel) from 6.1.0 to 7.0.0. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/babel/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/url-v7.0.0/packages/babel) --- updated-dependencies: - dependency-name: "@rollup/plugin-babel" dependency-version: 7.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump @types/node from 16.18.126 to 25.6.0 (#1262) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.126 to 25.6.0. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.6.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps-dev): bump rollup-plugin-typescript2 from 0.36.0 to 0.37.0 (#1263) Bumps [rollup-plugin-typescript2](https://github.com/ezolenko/rollup-plugin-typescript2) from 0.36.0 to 0.37.0. - [Release notes](https://github.com/ezolenko/rollup-plugin-typescript2/releases) - [Changelog](https://github.com/ezolenko/rollup-plugin-typescript2/blob/master/CHANGELOG.md) - [Commits](ezolenko/rollup-plugin-typescript2@0.36.0...0.37.0) --- updated-dependencies: - dependency-name: rollup-plugin-typescript2 dependency-version: 0.37.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * test: Extended the fuzzer a bit to cover the config object * Cure53 basic fuzzer (#1265) * test: added first scaffold for a simple data type and config fuzzer * test: Extended the fuzzer a bit to cover the config object * test: expanded fuzzer test coverage for bad config values fix: fixed several crashes caused by bad config values and data types fix: added necessary utility messages to utils.js * Cure53 basic fuzzer (#1266) * test: added first scaffold for a simple data type and config fuzzer * test: Extended the fuzzer a bit to cover the config object * test: expanded fuzzer test coverage for bad config values fix: fixed several crashes caused by bad config values and data types fix: added necessary utility messages to utils.js * fix: made the NAMESAPCE config handling less crashy * fix: added better config hardening and removed crash potentials test: expanded test suite to cover above changes * Update README.md Added new badge, added `npm run test:fuzz` info * chore(deps): bump rimraf, prettier, eslint-plugin-prettier, minimist * style: reformat codebase with Prettier 3 * chore(test): migrate from Karma to Playwright for browser tests Karma has been deprecated since April 2023 and has been blocking Dependabot updates across the dev-dependency tree. This migration replaces it with Playwright while preserving all existing test logic. Changes: - Replace Karma + karma-* plugin ecosystem with @playwright/test - Add tiny zero-dep static file server for the Playwright webServer - Add HTML runner pages for dist/purify.js and dist/purify.min.js that load QUnit, jQuery, DOMPurify, test-suite.js, and an ES module entry - Add Playwright spec that drives each runner, waits for QUnit.done, and surfaces per-assertion failure detail on error - Drop rollup-plugin-includepaths (was only aliasing 'purify' for Karma) - Drop minimist (was only used by the old custom-launchers config) - Update build-and-test.yml to install Playwright browsers and upload playwright-report/ artifact on failure Unchanged: - test/test-suite.js (2398 lines of QUnit assertions) - test/bootstrap-test-suite.js - test/fixtures/expect.mjs - test/config/setup.js - test/jsdom-node-runner.js, test/jsdom-node.js - test/fuzz/** - rollup.config.js, src/**, scripts/** Browser coverage: chromium, firefox, and webkit run locally and on non-BrowserStack CI (3 rendering engines: Blink, Gecko, WebKit). The 28-browser BrowserStack matrix is temporarily disabled and will be restored in a follow-up PR via browserstack-node-sdk. Test counts verified identical pre/post migration: 911 QUnit tests × 2 suites, all passing. * fix(test): harden test/browser/server.js against path traversal and reflected XSS * ci(test): add cross-OS browser matrix (ubuntu + macOS + windows) * fix: added pinning hash for dependency * Update README.md Updated browser test coverage info * build: migrate rollup-plugin-typescript2 and pre-commit Switch rollup-plugin-typescript2 → @rollup/plugin-typescript (official, actively maintained by the Rollup team). Type declaration pipeline is unaffected — types are generated by tsc directly, not the rollup plugin. Switch pre-commit → husky (modern standard, zero runtime deps, actively maintained). Hook behavior is identical: lint + build + stage dist files. The prepare script ensures hooks install automatically on npm install. * chore: cleaned up two ignored issues from OSV TOML file * chore: removed some unneeded files build: made sure npx is properly pinned and not flagged by scorecard * chore: removed some unneeded files (#1279) build: made sure npx is properly pinned and not flagged by scorecard Co-authored-by: Mario Heiderich <mario.heiderich@gmail.com> * Create CODEOWNERS (#1280) * Update build-and-test.yml (#1282) * build(deps): bump github/codeql-action from 4.35.1 to 4.35.2 (#1288) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 (#1286) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps): bump step-security/harden-runner from 2.17.0 to 2.18.0 (#1285) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.17.0 to 2.18.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f808768...6c3c2f2) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.18.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 (#1287) Bumps [fast-check](https://github.com/dubzzz/fast-check/tree/HEAD/packages/fast-check) from 4.6.0 to 4.7.0. - [Release notes](https://github.com/dubzzz/fast-check/releases) - [Changelog](https://github.com/dubzzz/fast-check/blob/main/packages/fast-check/CHANGELOG.md) - [Commits](https://github.com/dubzzz/fast-check/commits/v4.7.0/packages/fast-check) --- updated-dependencies: - dependency-name: fast-check dependency-version: 4.7.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Cure53 <mario@cure53.de> * Update purify.ts (#1290) chore: removed some risky dead code, thanks @1Jesper1 * Update config.ts (#1291) chore: fixed a typo, thanks @1Jesper1 * Update README.md (#1292) * build(deps-dev): bump rollup from 4.60.1 to 4.60.2 (#1294) Bumps [rollup](https://github.com/rollup/rollup) from 4.60.1 to 4.60.2. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.60.1...v4.60.2) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update attrs.ts (#1295) fix: removed a duplicate entry * Cure53 code hardening (#1296) * chore: added stronger check for HTML Custom Element tagnames cxhore: added stronger check for IN_PLACE tagname types * test: add regression and pinning tests from April 2026 review * test: added more fuzzer properties and a negative check (#1297) * Cure53 fuzzer update (#1298) * test: added more fuzzer properties and a negative check * chore: getting ready for 3.4.1 release * Create sign-release.yml (#1303) * Create sign-release.yml * Create slsa-provenance.yml * Update scorecard.yml (#1304) * Update scorecard.yml * Update sign-release.yml * Update slsa-provenance.yml * Update sign-release.yml * Update slsa-provenance.yml (#1305) * Update slsa-provenance.yml * Update sign-release.yml * Update slsa-provenance.yml * Update scorecard.yml (#1306) * Update scorecard.yml (#1307) * chore: added new workflow files for a first test (#1308) * chore: added new workflow files for a first test * chore: adjusted the build-and-test workflow slightly * chore: added a build-and-test-skip workflow to save on time and CPU * Cure53 expanding tests (#1310) * test: expanded test coverage for form clobbering and type confusions * test: removed some outdated comments in test suite * Update build-and-test.yml (#1311) * build(deps): bump actions/attest-build-provenance from 2.2.3 to 4.1.0 (#1315) Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2.2.3 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@c074443...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#1314) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump sigstore/gh-action-sigstore-python from 3.2.0 to 3.3.0 (#1312) Bumps [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases) - [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md) - [Commits](sigstore/gh-action-sigstore-python@a5caf34...04cffa1) --- updated-dependencies: - dependency-name: sigstore/gh-action-sigstore-python dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump step-security/harden-runner from 2.18.0 to 2.19.0 (#1313) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.18.0 to 2.19.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@6c3c2f2...8d3c67d) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update package.json (#1317) fix #1316 * build(deps-dev): bump jsdom from 29.0.2 to 29.1.0 (#1318) Bumps [jsdom](https://github.com/jsdom/jsdom) from 29.0.2 to 29.1.0. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.0.2...v29.1.0) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.1.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: apply URI validation to attributes allowed via ADD_ATTR callback (#1320) * fix: apply URI validation to attributes allowed via ADD_ATTR callback The function form of ADD_ATTR (introduced in PR #1150) allowed attribute names to bypass URI scheme validation. When the attributeCheck callback returned true, the attribute value was accepted without checking it against IS_ALLOWED_URI, meaning javascript: and data: URIs could pass through unsanitized. The array form of ADD_ATTR and the default ALLOWED_ATTR set both flow through URI validation correctly; the function form now does too. The fix removes the attributeCheck branch as a separate early-exit and folds it into the name-permitted test that precedes value validation: const nameIsPermitted = ALLOWED_ATTR[lcName] || (EXTRA_ELEMENT_HANDLING.attributeCheck instanceof Function && EXTRA_ELEMENT_HANDLING.attributeCheck(lcName, lcTag)); } else if (!nameIsPermitted || FORBID_ATTR[lcName]) { Tests added: javascript: URI is stripped when href is allowed via ADD_ATTR callback; safe https: URI is preserved. * test: use assert.equal to avoid CodeQL substring URL warning * release: 3.4.2 (#1321) --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodareef5 <kodareef5@gmail.com> Co-authored-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: bencalif <ben@calif.io> Co-authored-by: Developer <dev@devcontainer.local> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: 1Jesper1 <1jesper1@gmail.com> Co-authored-by: David Oliver <github_0UEMJhIUyGLn7@doliver.co.uk> Co-authored-by: Mario Heiderich <mario.heiderich@gmail.com> Co-authored-by: Drew Neil <andrew.jr.neil@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Apr 30, 2026

This comparison is taking too long to generate.

Uh oh!