loofah version 0.4.2 has been released!
- http://loofah.rubyforge.org
- http://rubyforge.org/projects/loofah
- http://github.com/flavorjones/loofah
Loofah is a general library for manipulating HTML/XML documents and
fragments. It’s built on top of Nokogiri and libxml2, so it’s fast and
has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)
Changes
0.4.2 (2010-01-22)
Enhancements:
- Implemented Node#scrub! for scrubbing subtrees.
- Implemented NodeSet#scrub! for scrubbing a set of subtrees.
- Document.text now only serializes contents (ignores )
- , and added to the HTML5lib whitelist.
Bug fixes:
- Supporting Rails apps that aren’t loading ActiveRecord. GH #10
Miscellaneous:
- Mailing list is now [email protected] / http://librelist.com
- IRC channel is now #loofah on freenode.
Features
-
Easily write custom scrubbers for HTML/XML leveraging the sweetness
of Nokogiri (and HTML5lib’s whitelists). -
Common HTML sanitizing tasks are built-in:
- Strip unsafe tags, leaving behind only the inner text.
-
Prune unsafe tags and their subtrees, removing all traces that
they ever existed. -
Escape unsafe tags and their subtrees, leaving behind lots of
< and > entities. -
Whitewash the markup, removing all attributes and namespaced
nodes.
-
Common HTML transformation tasks are built-in:
- Add the nofollow attribute to all hyperlinks.
-
Format markup as plain text.
-
Replace Rails’s +strip_tags+ and +sanitize+ helper methods.
-
Two ActiveRecord extensions:
- Loofah::XssFoliate, an
XssTerminate[GitHub - look/xss_terminate: xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won‘t need to anymore.] drop-in
replacement, is an opt-out sanitizer. By default all models and
attributes are sanitized. - Loofah::ActiveRecordExtension is an opt-in sanitizer. You must
explicitly declare attributes to be sanitized.
- Loofah::XssFoliate, an
Compare and Contrast
Loofah is one of two known Ruby XSS/sanitization solutions that
guarantees well-formed and valid markup (the other is Sanitize, which
also uses Nokogiri).
Loofah works fine on XML, XHTML and HTML documents.
Also, it’s pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
Lastly, Loofah is extensible. It’s super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don’t like
the built-in scrubbers? Build your own, like a boss.