librelist archives

« back to archive

[ANN] loofah 2.1.0.rc1 released

[ANN] loofah 2.1.0.rc1 released

From:
Mike Dalessio
Date:
2015-08-17 @ 23:45
loofah version 2.1.0.rc1 has been released!


TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

    https://github.com/rgrove/crass

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area. See this article for
history on Loofah's adoption in Rails:


http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/

Please provide feedback on this implementation here:

    https://github.com/flavorjones/loofah/issues/91

If I don't know of any blockers by 28 August 2015, I'll release 2.1.0 final
based on this implementation.


- mike
@flavorjones


----

* <https://github.com/flavorjones/loofah>
* <http://rubydoc.info/github/flavorjones/loofah/master/frames>
* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see
https://github.com/flavorjones/loofah-activerecord).

Changes:

## 2.1.0.rc1 / 2015-08-17

Notes:

* Re-implemented CSS parsing and sanitization using the {crass}[
https://github.com/rgrove/crass] library. #91

Bug fixes:

* Allow negative values in CSS properties. Restores functionality that was
reverted in v2.0.3. #91