[ANN] loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on
of Crass:


replacing the regexes that were lifted from html5lib back in 2009. I’m
relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area. See this article for
history on Loofah’s adoption in Rails:

Please provide feedback on this implementation here:


If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0
based on this implementation.

  • mike

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
GitHub - flavorjones/loofah-activerecord: ActiveRecord sanitization using Loofah and Nokogiri).


2.1.0.rc1 / 2015-08-17


Bug fixes:

  • Allow negative values in CSS properties. Restores functionality that
    reverted in v2.0.3. #91