Skip to content

Commit

Permalink
DOC-2456: Update DOMPurify version in security guide
Browse files Browse the repository at this point in the history
  • Loading branch information
FarzadHayat committed Jun 18, 2024
1 parent 0475b29 commit 108aab4
Showing 1 changed file with 4 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,18 @@ Previously, before HTML content was passed to {productname} 5.x, it was parsed u

The `SaxParser` API was developed in the then-absence of alternatives.

When this APIs validate setting was enabled — `validate: true` — `SaxParser` removed elements and attributes that did not fit the declared schema.
When this API's validate setting was enabled — `validate: true` — `SaxParser` removed elements and attributes that did not fit the declared schema.

And, over its lifetime, `SaxParser` was extended. For example, as of {productname} 5.9, the `SaxParser` API marked attributes with certain names or IDs as unsafe, because some names or IDs can cause the host browser to overwrite existing properties or functions.

For {productname} 6.0, however, this basic parser was removed and replaced with two significantly more thorough alternatives:
Since {productname} 6.0, this basic parser was removed and replaced with two significantly more thorough alternatives:

. the https://developer.mozilla.org/en-US/docs/Web/API/DOMParser[native browser API], `DOMParser()`; and
. the Free and Open Source _https://github.com/cure53/DOMPurify[XSS sanitizer for HTML, MathML and SVG]_, DOMPurify.

NOTE: {productname} uses DOMPurify 2.x, which was current at the time version 6 was developed.
NOTE: {productname} uses DOMPurify 3.x, which was current at the time {productname} {productmajorversion} was developed.

Before HTML (or XML) content is passed to {productname} 6.x, the `DOMParser` API parses the HTML (or XML) string into a https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model[DOM object]. As part of this process, `DOMParser` attempts to correct malformed HTML.
Before HTML (or XML) content is passed to {productname} {productmajorversion}, the `DOMParser` API parses the HTML (or XML) string into a https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model[DOM object]. As part of this process, `DOMParser` attempts to correct malformed HTML.

For example, the following string:

Expand Down

0 comments on commit 108aab4

Please sign in to comment.