release 2.12.1

boutell · boutell · commit f8e02be9fc3e · 2024-02-22T11:30:42.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.12.1 (2024-02-22)
+
+- Do not parse sourcemaps in `post-css`. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the `style` attribute is allowed by the configuration. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix.
+
 ## 2.12.0 (2024-02-21)
 
 - Introduced the `allowedEmptyAttributes` option, enabling explicit specification of empty string values for select attributes, with the default attribute set to `alt`. Thanks to [Na](https://github.com/zhna123) for the contribution.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sanitize-html",
-  "version": "2.12.0",
+  "version": "2.12.1",
   "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
   "sideEffects": false,
   "main": "index.js",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "sanitize-html",`
`3`		`- "version": "2.12.0",`
	`3`	`+ "version": "2.12.1",`
`4`	`4`	`"description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",`
`5`	`5`	`"sideEffects": false,`
`6`	`6`	`"main": "index.js",`