Security & Bug Fixes

Security

Fixed SVG sanitizer bypass via ASCII whitespace entities (https://github.com/rhukster/dom-sanitizer/issues/6) — Addresses a bypass of the CVE-2026-33172 fix where character entities like (tab), (newline), and (CR) could be used to smuggle javascript: URIs past the regex-based sanitization. The fix adds DOM-level URL scheme validation that operates on decoded attribute values, eliminating this entire class of entity-encoding bypasses.
Added comprehensive XSS event handler tests for GHSA-gxwg-x2jg-q44j to improve test coverage of onload, onclick, onerror, onmouseover, and other event handler stripping across SVG and HTML contexts.
Added SECURITY.md with instructions for private vulnerability reporting.

Fixed SVG filter elements being incorrectly removed (https://github.com/rhukster/dom-sanitizer/issues/5) — SVG filter tags (feGaussianBlur, feBlend, feColorMatrix, etc.) were defined in camelCase but compared against lowercased tag names, causing all filter elements to be silently stripped during sanitization.

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0