loofah version 2.1.0.rc1 has been released!
TL;DR: CSS property parsing and sanitization has been re-implemented on
top
of Crass:
https://github.com/rgrove/crass
replacing the regexes that were lifted from html5lib back in 2009. I’m
relatively sure this is a good thing.
I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area. See this article for
history on Loofah’s adoption in Rails:
Please provide feedback on this implementation here:
https://github.com/flavorjones/loofah/issues/91
If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0
final
based on this implementation.
- mike
@flavorjones
- https://github.com/flavorjones/loofah
- http://rubydoc.info/github/flavorjones/loofah/master/frames
- http://librelist.com/browser/loofah
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It’s built on top of Nokogiri and libxml2, so
it’s fast and has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it
most likely won’t make your codes less secure. (These statements have
not been evaluated by Netexperts.)
ActiveRecord extensions for sanitization are available in the
loofah-activerecord gem (see
GitHub - flavorjones/loofah-activerecord: ActiveRecord sanitization using Loofah and Nokogiri).
Changes:
2.1.0.rc1 / 2015-08-17
Notes:
- Re-implemented CSS parsing and sanitization using the {crass}[
GitHub - rgrove/crass: A Ruby CSS parser that's fully compliant with the CSS Syntax Level 3 specification.] library. #91
Bug fixes:
- Allow negative values in CSS properties. Restores functionality that
was
reverted in v2.0.3. #91