[ANN] loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on
top
of Crass:

https://github.com/rgrove/crass

replacing the regexes that were lifted from html5lib back in 2009. I’m
relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area. See this article for
history on Loofah’s adoption in Rails:

http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/

Please provide feedback on this implementation here:

https://github.com/flavorjones/loofah/issues/91

If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0
final
based on this implementation.

  • mike
    @flavorjones

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
https://github.com/flavorjones/loofah-activerecord).

Changes:

2.1.0.rc1 / 2015-08-17

Notes:

Bug fixes:

  • Allow negative values in CSS properties. Restores functionality that
    was
    reverted in v2.0.3. #91

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs