DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @nelstrom
• Added better check for animated href attributes, thanks @llamakko
• Updated and improved the bundled types, thanks @ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @securityMB & @terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @securityMB & @terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @Rotzbua
• Added matrix: as an allowed URI scheme, thanks @kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @EffectRenan
• Added better handling of attribute removal, thanks @michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @donmccurdy
• Added script to verify various TypeScript configurations, thanks @reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @nsysean
• Added a new feature to allow specific hook removal, thanks @davecardwell
• Added purify.js and purify.min.js to exports, thanks @Aetherinox
• Added better logic in case no window object is president, thanks @yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @parrot409 and @Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @parrot409

DOMPurify 2.5.8

• Fixed two conditional sanitizer bypasses discovered by @parrot409 and @Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @Yaniv-git
• Fixed several minor issues with the type definitions, thanks again @reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @reduckted @ghiscoding @asamuzaK @MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @reduckted , @philmayfield, @aloisklink, @ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @kevin-mizu