Notes:
-
Re-implemented CSS parsing and sanitization using the crass library. #91
-
Updated tests to ensure support for libxml 2.9.3.
Bug fixes:
-
Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
Bug fixes:
-
Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
Bug fixes:
-
Fix error with ‘#to_text` when Loofah::Helpers hadn’t been required. #75
-
Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
-
Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
Bug fixes:
-
Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
Notes:
-
Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
Compatibility notes:
-
ActionView helpers now must be required explicitly: ‘require “loofah/helpers”`
-
Support for Ruby 1.8.7 and prior has been dropped
Enhancements:
-
HTML5 whitelist allows the following …
-
tags: ‘article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
-
attributes: ‘data-*` (Thanks, Rafael Franca!)
-
URI attributes: ‘poster` and `preload`
-
-
Addition of the ‘:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
-
‘Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
-
HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
Bug fixes:
-
HTML5 sanitizers’ CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
-
HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
-
Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
Enhancements:
-
Loofah::Helpers.sanitize_css is a replacement for Rails’s built-in sanitize_css helper.
-
Improving ActionView integration.
Enhancements:
-
Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230). Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
-
Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
-
Don’t explode when encountering UTF-8 URIs. (#25, #29)
Notes:
-
Moved ActiveRecord functionality into ‘loofah-activerecord` gem.
-
Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes.
Enhancements:
-
New methods Loofah::HTML::Document#to_text and Loofah::HTML::DocumentFragment#to_text do the right thing with whitespace. Note that these methods are significantly slower than #text. GH #12
-
Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
-
Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text will return unescaped HTML entities by passing :encode_special_chars => false.
Enhancements:
-
Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities.
Bug fixes:
-
Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
Enhancements:
-
All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate
-
Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS
Miscellaneous:
-
Modified documentation for bootstrapping XssFoliate in a Rails app, since the use of Bundler breaks the previously-documented method. To be safe, always use an initializer file.
Enhancements:
-
Implemented Node#scrub! for scrubbing subtrees.
-
Implemented NodeSet#scrub! for scrubbing a set of subtrees.
-
Document.text now only serializes <body> contents (ignores <head>)
-
<head>, <html> and <body> added to the HTML5lib whitelist.
Bug fixes:
-
Supporting Rails apps that aren’t loading ActiveRecord. GH #10
Miscellaneous:
-
Mailing list is now loofah@librelist.com / librelist.com
-
IRC channel is now #loofah on freenode.
Bugfix:
-
Manifest fixed. Whoops.
Enhancements:
-
Scrubber class introduced, allowing development of custom scrubbers.
-
Added support for XML documents and fragments.
-
Added :nofollow HTML scrubber (thanks Luke Melia!)
-
Built-in scrubbing methods refactored to use Scrubber.
Bug fixes:
-
Scrubbed Documents properly render html, head and body tags when serialized.
Enhancements:
-
New ActiveRecord extension ‘xss_foliate`, a drop-in replacement for xss_terminate.
-
Replacement methods for Rails’s helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags.
-
Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2.
Deprecations:
-
The methods strip_tags, whitewash, whitewash_document, sanitize, and sanitize_document have been deprecated. See DEPRECATED.rdoc for details on the equivalent calls with the post-0.2 API.
Enhancements:
-
ActiveRecord extension scrubs fields in a before_validation callback (was previously in a before_save)
Enhancements:
-
when loaded in a Rails app, automatically extend ActiveRecord::Base with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
Bugfixes:
-
ActiveRecord scrubbing should generate strings instead of Document or DocumentFragment objects. GH #5
-
init.rb fixed to support installation as a Rails plugin. GH #6 (Thanks Josh Nichols!)
-
Swank new API.
-
ActiveRecord extension.
-
Uses Nokogiri’s Document and DocumentFragment for parsing.
-
Updated html5lib codes and tests to revision 1384:b9d3153d7be7.
-
Deprecated the Dryopteris sanitization methods. Will be removed in 0.3.0.
-
Documentation! Hey!
-
Added whitewashing – removal of all attributes and namespaced nodes. You know, for microsofty HTML.
-
Birthday!