Loofah 2.0.0 Released

loofah version 2.0.0 has been released!

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s
fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice
HTML sanitizers, which are based on HTML5lib’s whitelist, so it most
likely
won’t make your codes less secure. (These statements have not been
evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
http://github.com/flavorjones/loofah-activerecord).

Changes:

2.0.0 / 2014-05-09

Compatibility notes:

  • ActionView helpers now must be required explicitly: require "loofah/helpers"
  • Support for Ruby 1.8.7 and prior has been dropped

Enhancements:

  • HTML5 whitelist allows the following …
    • tags: article, aside, bdi, bdo, canvas, command,
      datalist, details, figcaption, figure, footer, header,
      mark,
      meter, nav, output, section, summary, time
    • attributes: data-* (Thanks, Rafael Franca!)
    • URI attributes: poster and preload
  • Addition of the :unprintable scrubber to remove unprintable
    characters
    from text nodes. #65 (Thanks, Matt Swanson!)
  • Loofah.fragment accepts an optional encoding argument, compatible
    with
    Nokogiri::HTML::DocumentFragment.parse. #62 (Thanks, Ben A.s!)
  • HTML5 sanitizers now remove attributes without values. (Thanks, Kasper
    Timm Hansen!)

Bug fixes:

  • HTML5 sanitizers’ CSS keyword check now actually works (broken in
    v2.0).
    Additional regression tests added. (Thanks, Kasper Timm Hansen!)
  • HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon
    Calhoun!)

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs