Loofah 2.0.0 Released

loofah version 2.0.0 has been released!

• http://github.com/flavorjones/loofah
• http://rubydoc.info/github/flavorjones/loofah/master/frames
• http://librelist.com/browser/loofah

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s
fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice
HTML sanitizers, which are based on HTML5lib’s whitelist, so it most
likely
won’t make your codes less secure. (These statements have not been
evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
http://github.com/flavorjones/loofah-activerecord).

Changes:

2.0.0 / 2014-05-09

Compatibility notes:

• ActionView helpers now must be required explicitly: require "loofah/helpers"
• Support for Ruby 1.8.7 and prior has been dropped

Enhancements:

• HTML5 whitelist allows the following …
  • tags: article, aside, bdi, bdo, canvas, command,
    datalist, details, figcaption, figure, footer, header,
    mark,
    meter, nav, output, section, summary, time
  • attributes: data-* (Thanks, Rafael Franca!)
  • URI attributes: poster and preload
• Addition of the :unprintable scrubber to remove unprintable
  characters
  from text nodes. #65 (Thanks, Matt Swanson!)
• Loofah.fragment accepts an optional encoding argument, compatible
  with
  Nokogiri::HTML::DocumentFragment.parse. #62 (Thanks, Ben A.s!)
• HTML5 sanitizers now remove attributes without values. (Thanks, Kasper
  Timm Hansen!)

Bug fixes:

• HTML5 sanitizers’ CSS keyword check now actually works (broken in
  v2.0).
  Additional regression tests added. (Thanks, Kasper Timm Hansen!)
• HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon
  Calhoun!)