[ANN] loofah 0.4.7 Released

Rails
1

loofah version 0.4.7 has been released!

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

== Changes

0.4.7 (2010-03-09)

Enhancements:

  • New methods Loofah::HTML::Document#to_text and
    Loofah::HTML::DocumentFragment#to_text do the right thing with
    whitespace. Note that these methods are significantly slower than
    #text. GH #12
  • Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4
    block-level4 elements.
  • Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
    will return unescaped HTML entities by passing :encode_special_chars
    =>
    false.

== Features

  • Easily write custom scrubbers for HTML/XML leveraging the sweetness of
    Nokogiri (and HTML5lib’s whitelists).
  • Common HTML sanitizing tasks are built-in:
    • Strip unsafe tags, leaving behind only the inner text.
    • Prune unsafe tags and their subtrees, removing all traces that
      they
      ever existed.
    • Escape unsafe tags and their subtrees, leaving behind lots of
      < and > entities.
    • Whitewash the markup, removing all attributes and namespaced
      nodes.
  • Common HTML transformation tasks are built-in:
    • Add the nofollow attribute to all hyperlinks.
  • Format markup as plain text, with or without sensible whitespace
    handling
    around block elements.
  • Replace Rails’s +strip_tags+ and +sanitize+ helper methods.
  • Two ActiveRecord extensions:

== Compare and Contrast

Loofah is one of two known Ruby XSS/sanitization solutions that
guarantees well-formed and valid markup (the other is Sanitize, which
also uses Nokogiri).

Loofah works fine on XML, XHTML and HTML documents.

Also, it’s pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):

Lastly, Loofah is extensible. It’s super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don’t like
the built-in scrubbers? Build your own, like a boss.

2

Mike D. [email protected] wrote:

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

because i’m using daily nokogiri i wanted to test loofah with a small
script (coming from http://loofah.rubyforge.org/loofah/) :

#! /opt/local/bin/ruby1.9

encoding: utf-8

require ‘rubygems’
require ‘nokogiri’
require ‘loofah’

unsafe_html=“ohai!

div is safe

doc=Loofah.fragment(unsafe_html).scrub!(:strip)
puts doc.to_s

however i got :
SyntaxError:
/opt/local/lib/ruby1.9/gems/1.9.1/gems/loofah-1.0.0/lib/loofah/html5/scr
ub.rb:20: too short escaped multibyte character:
/`|[\000-\040\177\s]+|\302[\200-\240]/
method require in untitled document at line 29
method require in untitled document at line 29
method <top (required)> in loofah.rb at line 9
method require in untitled document at line 33
method rescue in require in untitled document at line 33
method require in untitled document at line 29
method in loofah_first_test.rb at line 22

ruby 1.9.2p0 (2010-08-18 revision 29036) [x86_64-darwin10]
over Mac OS X SL

3

loofah version 0.4.7 has been released!

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

== Changes

0.4.7 (2010-03-09)

Enhancements:

  • New methods Loofah::HTML::Document#to_text and
    Loofah::HTML::DocumentFragment#to_text do the right thing with
    whitespace. Note that these methods are significantly slower than
    #text. GH #12
  • Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4
    block-level4 elements.
  • Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
    will return unescaped HTML entities by passing :encode_special_chars
    =>
    false.

== Features

  • Easily write custom scrubbers for HTML/XML leveraging the sweetness of
    Nokogiri (and HTML5lib’s whitelists).
  • Common HTML sanitizing tasks are built-in:
    • Strip unsafe tags, leaving behind only the inner text.
    • Prune unsafe tags and their subtrees, removing all traces that
      they
      ever existed.
    • Escape unsafe tags and their subtrees, leaving behind lots of
      < and > entities.
    • Whitewash the markup, removing all attributes and namespaced
      nodes.
  • Common HTML transformation tasks are built-in:
    • Add the nofollow attribute to all hyperlinks.
  • Format markup as plain text, with or without sensible whitespace
    handling
    around block elements.
  • Replace Rails’s +strip_tags+ and +sanitize+ helper methods.
  • Two ActiveRecord extensions:

== Compare and Contrast

Loofah is one of two known Ruby XSS/sanitization solutions that
guarantees well-formed and valid markup (the other is Sanitize, which
also uses Nokogiri).

Loofah works fine on XML, XHTML and HTML documents.

Also, it’s pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):

Lastly, Loofah is extensible. It’s super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don’t like
the built-in scrubbers? Build your own, like a boss.