Skip to content

Version 0.6.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@Gigabyte5671 Gigabyte5671 released this 14 May 10:02
· 64 commits to main since this release
v0.6.0
1ff01a5

Sanitization

Generated HTML output is now sanitized by default. This should lower the risk of any XSS vulnerabilities arising from use with user generated or copy-pasted CSS. For example, the following CSS:

img[onload="console.log('foo')"] {
    content: 'malicious.png';
}

script {
    content: 'fetch("http://malicious.com/").then(() => alert(1));';
}

When un-sanitized will produce:

<body>
    <img src="malicious.png" onload="console.log('foo')">
    <script>
        fetch("http://malicious.com/").then(() => alert(1));
    </script>
</body>

But when sanitized will instead produce:

<body>
    <img src="malicious.png">
    <script></script>
</body>

Options

If you're using CSS-to-HTML as part of a framework or build process, elements like this may actually be desired. For cases like this, a new option has been added to configure the sanitization behaviour:

Option Values Description
sanitize all * Sanitize the generated HTML using DOMPurify.
imports Only sanitize the HTML generated from imported stylesheets.
off Don't sanitize the generated HTML.

Breaking Changes

Important

Because sanitization is enabled by default, certain CSS inputs may produce different HTML outputs than before.
It is recommended to double-check your use case before updating.

Assets 2
Loading