[Rails] [ANN] loofah 2.1.0 released

Ruby on Rails Sunday, September 24, 2017

loofah version 2.1.0 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top of Crass:


replacing the regexes that were lifted from html5lib back in 2009. I'm relatively sure this is a good thing.

Note that Loofah underlies Rails sanitization since 4.2, so please do let me know via Github issue if this breaks any behavior for you. (Also note that this change has been available in RCs since August 2015.)

Full changelog below.

-m

---

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see

Changes:

## 2.1.0 / 2017-09-24

Notes:

* Re-implemented CSS parsing and sanitization using the {crass}[https://github.com/rgrove/crass] library. #91


Features:

* Added :noopener HTML scrubber (Thanks, @tastycode!)
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)


Bugfixes:

* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91


--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAGJbjKYc1XEkWJAbYP0Je%2BQsJZV08_BpX-rwJ2iA9TfFmSEikw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Posted by Ruby on Rails at 1:58 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)