Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you,
@Jvr2022,
@praveen-kv,
@TharVid,
@decsecre583,
@tlsbollei,
@KarimTantawey,
for your contributions

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you,
@Jvr2022,
@praveen-kv,
@TharVid,
@decsecre583,
@tlsbollei,
@KarimTantawey,
for your contributions

Commits

Added

• implement ParentNode.children getter #960 / #410

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains #931

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you,
@stevenobiajulu,
@yoshi389111,
@thesmartshadow,
for your contributions

#435

Commits

Fixed

• preserve trailing whitespace in ProcessingInstruction data #962 / #42
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you,
@thesmartshadow,
@stevenobiajulu,
for your contributions

#357

0.8.11

Fixed

• update ownerDocument when moving nodes between documents #933 / #932

Thank you, @shunkica, for your contributions

Commits

Fixed

• fix: replace \u2029 as part of normalizeLineEndings #839 / #838
• perf: speed up line detection #847 / #838

Chore

• updated dependencies
• drop jazzer and rxjs devDependencies #845

Thank you,
@kboshold,
@Ponynjaa,
for your contributions.

#435

Commits

Added

• Implementation of hasAttributes #804

Fixed

• locator is now true even when other options are being used for the DOMParser #802 / #803
• allow case-insensitive DOCTYPE in HTML #817 / #819

Performance

• simplify DOM.compareDocumentPosition #805

Chore

• updated devDependencies

Thank you,
@zorkow,
@Ponynjaa,
@WesselKroos,
for your contributions.

#435

Commits

Fixed

• lower error level for unicode replacement character #790 / #794 / #797

Chore

• updated devDependencies
• migrate renovate config #792

Thank you, @eglitise, for your contributions.

Commits

Fixed

• fix: re-index childNodes on insertBefore #763 / #766

Thank you,
@mureinik,
for your contributions.

Commits

Fixed

• restore performance for large amount of child nodes #748 / #760
• types: correct error handler level to warning (#759) #754 / #759

Docs

• test: verify BOM handling #758

Thank you,
@luffynando,
@mattiasw,
@JoinerDev,
for your contributions.