[Rails] [ANN] loofah 2.1.0 released

Sun, 24 Sep 2017 13:59:29 -0700 

loofah version 2.1.0 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

    https://github.com/rgrove/crass

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

Note that Loofah underlies Rails sanitization since 4.2, so please do let
me know via Github issue if this breaks any behavior for you. (Also note
that this change has been available in RCs since August 2015.)

Full changelog below.

-m

---

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see
https://github.com/flavorjones/loofah-activerecord).

Changes:

## 2.1.0 / 2017-09-24

Notes:

* Re-implemented CSS parsing and sanitization using the {crass}[
https://github.com/rgrove/crass] library. #91


Features:

* Added :noopener HTML scrubber (Thanks, @tastycode!)
* Support `data` URIs with the following media types: text/plain, text/css,
image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks,
@mrpasquini!)


Bugfixes:

* The :unprintable scrubber now scrubs unprintable characters in CDATA
nodes (like `<script>`). #124
* Allow negative values in CSS properties. Restores functionality that was
reverted in v2.0.3. #91

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to rubyonrails-talk+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/rubyonrails-talk/CAGJbjKYc1XEkWJAbYP0Je%2BQsJZV08_BpX-rwJ2iA9TfFmSEikw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to