librelist archives

« back to archive

[ANN] loofah 2.0.0 Released

[ANN] loofah 2.0.0 Released

Mike Dalessio
2014-05-09 @ 22:54
loofah version 2.0.0 has been released!

* <>
* <>
* <>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so it's
fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some nice
HTML sanitizers, which are based on HTML5lib's whitelist, so it most likely
won't make your codes less secure. (These statements have not been
evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see


## 2.0.0 / 2014-05-09

Compatibility notes:

* ActionView helpers now must be required explicitly: `require
* Support for Ruby 1.8.7 and prior has been dropped


* HTML5 whitelist allows the following ...
  * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`,
`datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`,
`meter`, `nav`, `output`, `section`, `summary`, `time`
  * attributes: `data-*` (Thanks, Rafael Franca!)
  * URI attributes: `poster` and `preload`
* Addition of the `:unprintable` scrubber to remove unprintable characters
from text nodes. #65 (Thanks, Matt Swanson!)
* `Loofah.fragment` accepts an optional encoding argument, compatible with
`Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper
Timm Hansen!)

Bug fixes:

* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0).
Additional regression tests added. (Thanks, Kasper Timm Hansen!)
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon