🚨 Insufficient Granularity of Access Control in JSDom

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

16.7.0

• Added AbortSignal.abort(). (ninevra)
• Added dummy x and y properties to the return value of getBoundingClientRect(). (eiko)
• Implemented wrapping for textareaEl.value if the wrap="" attribute is specified. (ninevra)
• Changed newline normalization in <textarea>s according to recent HTML Standard updates. (ninevra)
• Fixed some bad cascade computation in getComputedStyle(). (romain-trotard)

16.6.0

• Added parentNode.replaceChildren(). (@ninevra)
• Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (@mbest)
• Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Thanks go to @tobyhinloopen, @andrewaylett, and especially @vegardbb, for completing this months-long effort!

16.5.3

• Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.

16.5.2

• Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)
• Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".
• Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.
• Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)
• Fixed parsing to ensure that <svg><template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace <template> element.
• Fixed domParser.parseFromString() to treat <noscript> elements appropriately.
• Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.
• Fixed legendEl.form to return the correct result based on its parent <fieldset>.
• Fixed optionEl.text to exclude <script> descendants.
• Fixed radio buttons and checkboxes to not fire input and change events when disconnected.
• Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.
• Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)
• On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)

16.5.1

• Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)
• Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.

16.5.0

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)