loofah version 0.3.1 has been released!
- http://loofah.rubyforge.org
- http://rubyforge.org/projects/loofah
- http://github.com/flavorjones/loofah
Loofah is an HTML sanitizer. It will always fix broken markup, but
can also sanitize unsafe tags in a few different ways, and transform
the markup for storage or display.
It’s built on top of Nokogiri and libxml2, so it’s fast. And it uses
html5lib’s whitelist, so it most likely won’t make your codes less
secure. *
* These statements have not been evaluated by Netexperts.
== CHANGES in 0.3.1
Bug fixes:
- Scrubbed Documents properly render html, head and body tags when
serialized.
== FEATURES
- Strip unsafe tags, leaving behind only the inner text.
-
Prune unsafe tags and their subtrees, removing all traces that
they ever existed. -
Escape unsafe tags and their subtrees, leaving behind lots of
< and > entities. - Whitewash the markup, removing all attributes and namespaced nodes.
- Format the markup as plain text.
- Replacements for Rails’s +strip_tags+ and +sanitize+ helper methods.
- TWO! Count them, TWO! ActiveRecord extensions:
- Loofah::XssFoliate (an
XssTerminate[GitHub - look/xss_terminate: xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won‘t need to anymore.] drop-in
replacement) is an opt-out sanitizer; by default all models and
attributes are sanitized. - Loofah::ActiveRecordExtension is an opt-in sanitizer; you must
explicitly declare attributes to be sanitized.
- Loofah::XssFoliate (an
- 99 44/100 % pure
== COMPARE AND CONTRAST
Loofah is the only ruby XSS/sanitization library that guarantees
well-formed and valid markup.
Also, it’s pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries: