Changelog¶ ↑

2.4.0 / 2019-11-25¶ ↑

Features¶ ↑

• Allow CSS property max-width [#175] (Thanks, @bchaney!)

• Allow CSS sizes expressed in rem [#176, #177]

• Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1 / 2019-10-22¶ ↑

Security¶ ↑

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at github.com/flavorjones/loofah/issues/171

2.3.0 / 2019-09-28¶ ↑

Features¶ ↑

• Expand set of allowed protocols to include tel: and line:. [#104, #147]

• Expand set of allowed CSS functions. [related to #122]

• Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)

• Allow CSS property list-style [#162] (Thanks, @jaredbeck!)

• Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)

• Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes¶ ↑

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes¶ ↑

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.

• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.

• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3 / 2018-10-30¶ ↑

Security¶ ↑

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at github.com/flavorjones/loofah/issues/154

Meta / 2018-10-27¶ ↑

The mailing list is now on Google Groups #146:

• Mail: loofah-talk@googlegroups.com

• Archive: groups.google.com/forum/#!forum/loofah-talk

This change was made because librelist no longer appears to be maintained.

2.2.2 / 2018-03-22¶ ↑

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!, which was previously a private method. This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048.

2.2.1 / 2018-03-19¶ ↑

Security¶ ↑

Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

This CVE's public notice is at github.com/flavorjones/loofah/issues/144

2.2.0 / 2018-02-11¶ ↑

Features:¶ ↑

• Support HTML5 <main> tag. #133 (Thanks, @MothOnMars!)

• Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)

• Support SVG <symbol> tag. #131 (Thanks, @baopham!)

• Support for whitelisting CSS functions, initially just calc and rgb. #122/#123/#129 (Thanks, @NikoRoberts!)

• Whitelist CSS property list-style-type. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)

Bugfixes:¶ ↑

• Properly handle nested script tags. #127.

2.1.1 / 2017-09-24¶ ↑

Bugfixes:¶ ↑

• Removed warning for unused variable. #124 (Thanks, @y-yagi!)

2.1.0 / 2017-09-24¶ ↑

Notes:¶ ↑

• Re-implemented CSS parsing and sanitization using the crass library. #91

Features:¶ ↑

• Added :noopener HTML scrubber (Thanks, @tastycode!)

• Support data URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)

Bugfixes:¶ ↑

• The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like <script>). #124

• Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91

2.0.3 / 2015-08-17¶ ↑

Bug fixes:¶ ↑

• Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)

2.0.2 / 2015-05-05¶ ↑

Bug fixes:¶ ↑

• Fix error with #to_text when Loofah::Helpers hadn't been required. #75

• Allow multi-word data attributes. #84 (Thanks, @jstorimer!)

• Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)

2.0.1 / 2014-08-21¶ ↑

Bug fixes:¶ ↑

• Load RR correctly when running test files directly. (Thanks, @ktdreyer!)

Notes:¶ ↑

• Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)

2.0.0 / 2014-05-09¶ ↑

Compatibility notes:¶ ↑

• ActionView helpers now must be required explicitly: require "loofah/helpers"

• Support for Ruby 1.8.7 and prior has been dropped

Enhancements:¶ ↑

• HTML5 whitelist allows the following …

• tags: article, aside, bdi, bdo, canvas, command, datalist, details, figcaption, figure, footer, header, mark, meter, nav, output, section, summary, time

• attributes: data-* (Thanks, Rafael Franca!)

• URI attributes: poster and preload

• Addition of the :unprintable scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)

• Loofah.fragment accepts an optional encoding argument, compatible with Nokogiri::HTML::DocumentFragment.parse. #62 (Thanks, Ben Atkins!)

• HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)

Bug fixes:¶ ↑

• HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)

• HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)

1.2.1 (2012-04-14)¶ ↑

• Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)

1.2.0 (2011-08-08)¶ ↑

Enhancements:¶ ↑

• Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper.

• Improving ActionView integration.

1.1.0 (2011-08-08)¶ ↑

Enhancements:¶ ↑

• Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230). Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.

• Whitelists (which are not part of the public API) are now Sets (were previously Arrays).

• Don't explode when encountering UTF-8 URIs. (#25, #29)

1.0.0 (2010-10-26)¶ ↑

Notes:¶ ↑

• Moved ActiveRecord functionality into loofah-activerecord gem.

• Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.

0.4.7 (2010-03-09)¶ ↑

Enhancements:¶ ↑

• New methods Loofah::HTML::Document#to_text and Loofah::HTML::DocumentFragment#to_text do the right thing with whitespace. Note that these methods are significantly slower than text. GH #12

• Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.

• Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text will return unescaped HTML entities by passing :encode_special_chars => false.

0.4.4, 0.4.5, 0.4.6 (2010-02-01)¶ ↑

Enhancements:¶ ↑

• Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.

Bug fixes:¶ ↑

• Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17

0.4.3 (2010-01-29)¶ ↑

Enhancements:¶ ↑

• All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate

• Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS

Miscellaneous:¶ ↑

• Modified documentation for bootstrapping XssFoliate in a Rails app, since the use of Bundler breaks the previously-documented method. To be safe, always use an initializer file.

0.4.2 (2010-01-22)¶ ↑

Enhancements:¶ ↑

• Implemented Node#scrub! for scrubbing subtrees.

• Implemented NodeSet#scrub! for scrubbing a set of subtrees.

• Document.text now only serializes <body> contents (ignores <head>)

• <head>, <html> and <body> added to the HTML5lib whitelist.

Bug fixes:¶ ↑

• Supporting Rails apps that aren't loading ActiveRecord. GH #10

Miscellaneous:¶ ↑

• Mailing list is now loofah@librelist.com / librelist.com

• IRC channel is now loofah on freenode.

0.4.1 (2009-11-23)¶ ↑

Bugfix:¶ ↑

• Manifest fixed. Whoops.

0.4.0 (2009-11-21)¶ ↑

Enhancements:¶ ↑

• Scrubber class introduced, allowing development of custom scrubbers.

• Added support for XML documents and fragments.

• Added :nofollow HTML scrubber (thanks Luke Melia!)

• Built-in scrubbing methods refactored to use Scrubber.

0.3.1 (2009-10-12)¶ ↑

Bug fixes:¶ ↑

• Scrubbed Documents properly render html, head and body tags when serialized.

0.3.0 (2009-10-06)¶ ↑

Enhancements:¶ ↑

• New ActiveRecord extension xss_foliate, a drop-in replacement for xss_terminate.

• Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.

• Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.

Deprecations:¶ ↑

• The methods strip_tags, whitewash, whitewash_document, sanitize, and sanitize_document have been deprecated. See DEPRECATED.rdoc for details on the equivalent calls with the post-0.2 API.

0.2.2 (2009-09-30)¶ ↑

Enhancements:¶ ↑

• ActiveRecord extension scrubs fields in a before_validation callback (was previously in a before_save)

0.2.1 (2009-09-19)¶ ↑

Enhancements:¶ ↑

• when loaded in a Rails app, automatically extend ActiveRecord::Base with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)

Bugfixes:¶ ↑

• ActiveRecord scrubbing should generate strings instead of Document or DocumentFragment objects. GH #5

• init.rb fixed to support installation as a Rails plugin. GH #6 (Thanks Josh Nichols!)

0.2.0 (2009-09-11)¶ ↑

• Swank new API.

• ActiveRecord extension.

• Uses Nokogiri's Document and DocumentFragment for parsing.

• Updated html5lib codes and tests to revision 1384:b9d3153d7be7.

• Deprecated the Dryopteris sanitization methods. Will be removed in 0.3.0.

• Documentation! Hey!

0.1.2 (2009-04-30)¶ ↑

• Added whitewashing – removal of all attributes and namespaced nodes. You know, for microsofty HTML.

0.1.0 (2009-02-10)¶ ↑

• Birthday!