Loofah 2.0.0 Released

loofah version 2.0.0 has been released!

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
HTML sanitizers, which are based on HTML5lib’s whitelist, so it most
won’t make your codes less secure. (These statements have not been
evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
GitHub - flavorjones/loofah-activerecord: ActiveRecord sanitization using Loofah and Nokogiri).


2.0.0 / 2014-05-09

Compatibility notes:

  • ActionView helpers now must be required explicitly: require "loofah/helpers"
  • Support for Ruby 1.8.7 and prior has been dropped


  • HTML5 whitelist allows the following …
    • tags: article, aside, bdi, bdo, canvas, command,
      datalist, details, figcaption, figure, footer, header,
      meter, nav, output, section, summary, time
    • attributes: data-* (Thanks, Rafael Franca!)
    • URI attributes: poster and preload
  • Addition of the :unprintable scrubber to remove unprintable
    from text nodes. #65 (Thanks, Matt Swanson!)
  • Loofah.fragment accepts an optional encoding argument, compatible
    Nokogiri::HTML::DocumentFragment.parse. #62 (Thanks, Ben A.s!)
  • HTML5 sanitizers now remove attributes without values. (Thanks, Kasper
    Timm Hansen!)

Bug fixes:

  • HTML5 sanitizers’ CSS keyword check now actually works (broken in
    Additional regression tests added. (Thanks, Kasper Timm Hansen!)
  • HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon