loofah 2.2.3 → 2.21.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +269 -31
- data/README.md +109 -124
- data/lib/loofah/concerns.rb +207 -0
- data/lib/loofah/elements.rb +85 -79
- data/lib/loofah/helpers.rb +37 -20
- data/lib/loofah/{html → html4}/document.rb +6 -7
- data/lib/loofah/html4/document_fragment.rb +15 -0
- data/lib/loofah/html5/document.rb +17 -0
- data/lib/loofah/html5/document_fragment.rb +15 -0
- data/lib/loofah/html5/libxml2_workarounds.rb +10 -8
- data/lib/loofah/html5/safelist.rb +1055 -0
- data/lib/loofah/html5/scrub.rb +153 -58
- data/lib/loofah/metahelpers.rb +11 -6
- data/lib/loofah/scrubber.rb +22 -15
- data/lib/loofah/scrubbers.rb +66 -55
- data/lib/loofah/version.rb +6 -0
- data/lib/loofah/xml/document.rb +2 -0
- data/lib/loofah/xml/document_fragment.rb +4 -7
- data/lib/loofah.rb +131 -38
- metadata +28 -216
- data/.gemtest +0 -0
- data/Gemfile +0 -22
- data/Manifest.txt +0 -40
- data/Rakefile +0 -79
- data/benchmark/benchmark.rb +0 -149
- data/benchmark/fragment.html +0 -96
- data/benchmark/helper.rb +0 -73
- data/benchmark/www.slashdot.com.html +0 -2560
- data/lib/loofah/html/document_fragment.rb +0 -40
- data/lib/loofah/html5/whitelist.rb +0 -186
- data/lib/loofah/instance_methods.rb +0 -127
- data/test/assets/msword.html +0 -63
- data/test/assets/testdata_sanitizer_tests1.dat +0 -502
- data/test/helper.rb +0 -18
- data/test/html5/test_sanitizer.rb +0 -382
- data/test/integration/test_ad_hoc.rb +0 -204
- data/test/integration/test_helpers.rb +0 -43
- data/test/integration/test_html.rb +0 -72
- data/test/integration/test_scrubbers.rb +0 -400
- data/test/integration/test_xml.rb +0 -55
- data/test/unit/test_api.rb +0 -142
- data/test/unit/test_encoding.rb +0 -20
- data/test/unit/test_helpers.rb +0 -62
- data/test/unit/test_scrubber.rb +0 -229
- data/test/unit/test_scrubbers.rb +0 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fc4c92807e83a1ba62b6b092217150c2784904f3e0ba5c3aff1a4f0415faa739
|
4
|
+
data.tar.gz: a1e7028ff5eea1725b46adde2f14b350cae3381e6770c33db14714c380875241
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 268e899470213cd80a6a7f661a754dd029f217f559006f9a587a7977c7ebcad4b440a7e6c3a476d6e8a26fea27e114541d985413f593b32b020adc93794e81ee
|
7
|
+
data.tar.gz: b59bcf306343775afa03d313534801e9259db2462acbfd7f52f7e91b7b98657c51ba78fa0f7a2dcaa6c24167da4e6e93803e63622228e74bab1ec98813c24cad
|
data/CHANGELOG.md
CHANGED
@@ -1,12 +1,250 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.21.1 / 2023-05-10
|
4
|
+
|
5
|
+
### Fixed
|
6
|
+
|
7
|
+
* Don't define `HTML5::Document` and `HTML5::DocumentFragment` when Nokogiri is `< 1.14`. In 2.21.0 these classes were defined whenever `Nokogiri::HTML5` was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.
|
8
|
+
|
9
|
+
|
10
|
+
## 2.21.0 / 2023-05-10
|
11
|
+
|
12
|
+
### HTML5 Support
|
13
|
+
|
14
|
+
Classes `Loofah::HTML5::Document` and `Loofah::HTML5::DocumentFragment` are introduced, along with helper methods:
|
15
|
+
|
16
|
+
- `Loofah.html5_document`
|
17
|
+
- `Loofah.html5_fragment`
|
18
|
+
- `Loofah.scrub_html5_document`
|
19
|
+
- `Loofah.scrub_html5_fragment`
|
20
|
+
|
21
|
+
These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.
|
22
|
+
|
23
|
+
⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.
|
24
|
+
|
25
|
+
⚠ HTML5 functionality is not available for JRuby. Please see [this upstream Nokogiri issue](https://github.com/sparklemotion/nokogiri/issues/2227) if you're interested in helping implement and support HTML5 support.
|
26
|
+
|
27
|
+
|
28
|
+
### `Loofah::HTML4` module and namespace
|
29
|
+
|
30
|
+
`Loofah::HTML` has been renamed to `Loofah::HTML4`, and `Loofah::HTML` is aliased to preserve backwards-compatibility. `Nokogiri::HTML` and `Nokogiri::HTML4` parse methods still use libxml2's (or NekoHTML's) HTML4 parser.
|
31
|
+
|
32
|
+
Take special note that if you rely on the class name of an object in your code, objects will now report a class of `Loofah::HTML4::Foo` where they previously reported `Loofah::HTML::Foo`. Instead of relying on the string returned by `Object#class`, prefer `Class#===` or `Object#is_a?` or `Object#instance_of?`.
|
33
|
+
|
34
|
+
Future releases of Nokogiri may deprecate `HTML` classes and methods or otherwise change this behavior, so please start using `HTML4` in place of `HTML`.
|
35
|
+
|
36
|
+
|
37
|
+
### Official support for JRuby
|
38
|
+
|
39
|
+
This version introduces official support for JRuby. Previously, the test suite had never been green due to differences in behavior in the underlying HTML parser used by Nokogiri. We've updated the test suite to accommodate those differences, and have added JRuby to the CI suite.
|
40
|
+
|
41
|
+
|
42
|
+
## 2.20.0 / 2023-04-01
|
43
|
+
|
44
|
+
### Features
|
45
|
+
|
46
|
+
* Allow SVG attributes `color-profile`, `cursor`, `filter`, `marker`, and `mask`. [[#246](https://github.com/flavorjones/loofah/issues/246)]
|
47
|
+
* Allow SVG elements `altGlyph`, `cursor`, `feImage`, `pattern`, and `tref`. [[#246](https://github.com/flavorjones/loofah/issues/246)]
|
48
|
+
* Allow protocols `fax` and `modem`. [[#255](https://github.com/flavorjones/loofah/issues/255)] (Thanks, [@cjba7](https://github.com/cjba7)!)
|
49
|
+
|
50
|
+
|
51
|
+
## 2.19.1 / 2022-12-13
|
52
|
+
|
53
|
+
### Security
|
54
|
+
|
55
|
+
* Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
|
56
|
+
* Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
|
57
|
+
* Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
|
58
|
+
|
59
|
+
|
60
|
+
## 2.19.0 / 2022-09-14
|
61
|
+
|
62
|
+
### Features
|
63
|
+
|
64
|
+
* Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
|
65
|
+
|
66
|
+
|
67
|
+
## 2.18.0 / 2022-05-11
|
68
|
+
|
69
|
+
### Features
|
70
|
+
|
71
|
+
* Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
|
72
|
+
|
73
|
+
|
74
|
+
## 2.17.0 / 2022-04-28
|
75
|
+
|
76
|
+
### Features
|
77
|
+
|
78
|
+
* Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
79
|
+
|
80
|
+
|
81
|
+
## 2.16.0 / 2022-04-01
|
82
|
+
|
83
|
+
### Features
|
84
|
+
|
85
|
+
* Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
86
|
+
|
87
|
+
|
88
|
+
## 2.15.0 / 2022-03-14
|
89
|
+
|
90
|
+
### Features
|
91
|
+
|
92
|
+
* Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
|
93
|
+
|
94
|
+
|
95
|
+
## 2.14.0 / 2022-02-11
|
96
|
+
|
97
|
+
### Features
|
98
|
+
|
99
|
+
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
|
100
|
+
|
101
|
+
|
102
|
+
## 2.13.0 / 2021-12-10
|
103
|
+
|
104
|
+
### Bug fixes
|
105
|
+
|
106
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
107
|
+
|
108
|
+
|
109
|
+
## 2.12.0 / 2021-08-11
|
110
|
+
|
111
|
+
### Features
|
112
|
+
|
113
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
114
|
+
|
115
|
+
|
116
|
+
## 2.11.0 / 2021-07-31
|
117
|
+
|
118
|
+
### Features
|
119
|
+
|
120
|
+
* Allow HTML5 element `wbr`.
|
121
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
122
|
+
|
123
|
+
|
124
|
+
### Changes
|
125
|
+
|
126
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
127
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
128
|
+
|
129
|
+
|
130
|
+
## 2.10.0 / 2021-06-06
|
131
|
+
|
132
|
+
### Features
|
133
|
+
|
134
|
+
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
|
135
|
+
|
136
|
+
|
137
|
+
## 2.9.1 / 2021-04-07
|
138
|
+
|
139
|
+
### Bug fixes
|
140
|
+
|
141
|
+
* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
|
142
|
+
|
143
|
+
|
144
|
+
## 2.9.0 / 2021-01-14
|
145
|
+
|
146
|
+
### Features
|
147
|
+
|
148
|
+
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
|
149
|
+
|
150
|
+
|
151
|
+
## 2.8.0 / 2020-11-25
|
152
|
+
|
153
|
+
### Features
|
154
|
+
|
155
|
+
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
|
156
|
+
|
157
|
+
|
158
|
+
## 2.7.0 / 2020-08-26
|
159
|
+
|
160
|
+
### Features
|
161
|
+
|
162
|
+
* Allow CSS properties `page-break-before`, `page-break-inside`, and `page-break-after`. [[#190](https://github.com/flavorjones/loofah/issues/190)] (Thanks, [@ahorek](https://github.com/ahorek)!)
|
163
|
+
|
164
|
+
|
165
|
+
### Fixes
|
166
|
+
|
167
|
+
* Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!)
|
168
|
+
|
169
|
+
|
170
|
+
## 2.6.0 / 2020-06-16
|
171
|
+
|
172
|
+
### Features
|
173
|
+
|
174
|
+
* Allow CSS `border-style` keywords. [[#188](https://github.com/flavorjones/loofah/issues/188)] (Thanks, [@tarcisiozf](https://github.com/tarcisiozf)!)
|
175
|
+
|
176
|
+
|
177
|
+
## 2.5.0 / 2020-04-05
|
178
|
+
|
179
|
+
### Features
|
180
|
+
|
181
|
+
* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [[#178](https://github.com/flavorjones/loofah/issues/178)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
|
182
|
+
|
183
|
+
|
184
|
+
### Fixes
|
185
|
+
|
186
|
+
* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [[#80](https://github.com/flavorjones/loofah/issues/80)]
|
187
|
+
|
188
|
+
|
189
|
+
### Other changes
|
190
|
+
|
191
|
+
* Gem metadata being set [[#181](https://github.com/flavorjones/loofah/issues/181)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
|
192
|
+
* Test files removed from gem file [[#180](https://github.com/flavorjones/loofah/issues/180),[#166](https://github.com/flavorjones/loofah/issues/166),[#159](https://github.com/flavorjones/loofah/issues/159)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas) and [@greysteil](https://github.com/greysteil)!)
|
193
|
+
|
194
|
+
|
195
|
+
## 2.4.0 / 2019-11-25
|
196
|
+
|
197
|
+
### Features
|
198
|
+
|
199
|
+
* Allow CSS property `max-width` [[#175](https://github.com/flavorjones/loofah/issues/175)] (Thanks, [@bchaney](https://github.com/bchaney)!)
|
200
|
+
* Allow CSS sizes expressed in `rem` [[#176](https://github.com/flavorjones/loofah/issues/176), [#177](https://github.com/flavorjones/loofah/issues/177)]
|
201
|
+
* Add `frozen_string_literal: true` magic comment to all `lib` files. [[#118](https://github.com/flavorjones/loofah/issues/118)]
|
202
|
+
|
203
|
+
|
204
|
+
## 2.3.1 / 2019-10-22
|
205
|
+
|
206
|
+
### Security
|
207
|
+
|
208
|
+
Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
|
209
|
+
|
210
|
+
This CVE's public notice is at [#171](https://github.com/flavorjones/loofah/issues/171)
|
211
|
+
|
212
|
+
|
213
|
+
## 2.3.0 / 2019-09-28
|
214
|
+
|
215
|
+
### Features
|
216
|
+
|
217
|
+
* Expand set of allowed protocols to include `tel:` and `line:`. [[#104](https://github.com/flavorjones/loofah/issues/104), [#147](https://github.com/flavorjones/loofah/issues/147)]
|
218
|
+
* Expand set of allowed CSS functions. [related to [#122](https://github.com/flavorjones/loofah/issues/122)]
|
219
|
+
* Allow greater precision in shorthand CSS values. [[#149](https://github.com/flavorjones/loofah/issues/149)] (Thanks, [@danfstucky](https://github.com/danfstucky)!)
|
220
|
+
* Allow CSS property `list-style` [[#162](https://github.com/flavorjones/loofah/issues/162)] (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
|
221
|
+
* Allow CSS keywords `thick` and `thin` [[#168](https://github.com/flavorjones/loofah/issues/168)] (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
|
222
|
+
* Allow HTML property `contenteditable` [[#167](https://github.com/flavorjones/loofah/issues/167)] (Thanks, [@andreynering](https://github.com/andreynering)!)
|
223
|
+
|
224
|
+
|
225
|
+
### Bug fixes
|
226
|
+
|
227
|
+
* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [[#165](https://github.com/flavorjones/loofah/issues/165)] (Thanks, [@asok](https://github.com/asok)!)
|
228
|
+
|
229
|
+
|
230
|
+
### Deprecations / Name Changes
|
231
|
+
|
232
|
+
The following method and constants are hereby deprecated, and will be completely removed in a future release:
|
233
|
+
|
234
|
+
* Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
|
235
|
+
* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
|
236
|
+
* Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
|
237
|
+
|
238
|
+
Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
|
239
|
+
|
240
|
+
|
3
241
|
## 2.2.3 / 2018-10-30
|
4
242
|
|
5
243
|
### Security
|
6
244
|
|
7
245
|
Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
|
8
246
|
|
9
|
-
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
|
247
|
+
This CVE's public notice is at [#154](https://github.com/flavorjones/loofah/issues/154)
|
10
248
|
|
11
249
|
|
12
250
|
## Meta / 2018-10-27
|
@@ -33,76 +271,76 @@ attribute scrubbers should they need to address CVE-2018-8048.
|
|
33
271
|
|
34
272
|
Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
|
35
273
|
|
36
|
-
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
274
|
+
This CVE's public notice is at [#144](https://github.com/flavorjones/loofah/issues/144)
|
37
275
|
|
38
276
|
|
39
277
|
## 2.2.0 / 2018-02-11
|
40
278
|
|
41
279
|
### Features:
|
42
280
|
|
43
|
-
* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
|
44
|
-
* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
|
45
|
-
* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
|
46
|
-
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122
|
47
|
-
* Whitelist CSS property `list-style-type`. #68
|
281
|
+
* Support HTML5 `<main>` tag. [#133](https://github.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
|
282
|
+
* Recognize HTML5 block elements. [#136](https://github.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
|
283
|
+
* Support SVG `<symbol>` tag. [#131](https://github.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
|
284
|
+
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github.com/flavorjones/loofah/issues/122)/[#123](https://github.com/flavorjones/loofah/issues/123)/[#129](https://github.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
|
285
|
+
* Whitelist CSS property `list-style-type`. [#68](https://github.com/flavorjones/loofah/issues/68)/[#137](https://github.com/flavorjones/loofah/issues/137)/[#142](https://github.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
|
48
286
|
|
49
287
|
### Bugfixes:
|
50
288
|
|
51
|
-
* Properly handle nested `script` tags. #127.
|
289
|
+
* Properly handle nested `script` tags. [#127](https://github.com/flavorjones/loofah/issues/127).
|
52
290
|
|
53
291
|
|
54
292
|
## 2.1.1 / 2017-09-24
|
55
293
|
|
56
294
|
### Bugfixes:
|
57
295
|
|
58
|
-
* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
|
296
|
+
* Removed warning for unused variable. [#124](https://github.com/flavorjones/loofah/issues/124) (Thanks, [@y-yagi](https://github.com/y-yagi)!)
|
59
297
|
|
60
298
|
|
61
299
|
## 2.1.0 / 2017-09-24
|
62
300
|
|
63
301
|
### Notes:
|
64
302
|
|
65
|
-
* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
|
303
|
+
* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. [#91](https://github.com/flavorjones/loofah/issues/91)
|
66
304
|
|
67
305
|
|
68
306
|
### Features:
|
69
307
|
|
70
|
-
* Added :noopener HTML scrubber (Thanks, @tastycode!)
|
71
|
-
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
|
308
|
+
* Added :noopener HTML scrubber (Thanks, [@tastycode](https://github.com/tastycode)!)
|
309
|
+
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. [#101](https://github.com/flavorjones/loofah/issues/101), [#120](https://github.com/flavorjones/loofah/issues/120). (Thanks, [@mrpasquini](https://github.com/mrpasquini)!)
|
72
310
|
|
73
311
|
|
74
312
|
### Bugfixes:
|
75
313
|
|
76
|
-
* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
|
77
|
-
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
|
314
|
+
* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). [#124](https://github.com/flavorjones/loofah/issues/124)
|
315
|
+
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. [#91](https://github.com/flavorjones/loofah/issues/91)
|
78
316
|
|
79
317
|
|
80
318
|
## 2.0.3 / 2015-08-17
|
81
319
|
|
82
320
|
### Bug fixes:
|
83
321
|
|
84
|
-
* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
|
322
|
+
* Revert support for negative values in CSS properties due to slow performance. [#90](https://github.com/flavorjones/loofah/issues/90) (Related to [#85](https://github.com/flavorjones/loofah/issues/85).)
|
85
323
|
|
86
324
|
|
87
325
|
## 2.0.2 / 2015-05-05
|
88
326
|
|
89
327
|
### Bug fixes:
|
90
328
|
|
91
|
-
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
|
92
|
-
* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
|
93
|
-
* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
|
329
|
+
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. [#75](https://github.com/flavorjones/loofah/issues/75)
|
330
|
+
* Allow multi-word data attributes. [#84](https://github.com/flavorjones/loofah/issues/84) (Thanks, [@jstorimer](https://github.com/jstorimer)!)
|
331
|
+
* Allow negative values in CSS properties. [#85](https://github.com/flavorjones/loofah/issues/85) (Thanks, [@siddhartham](https://github.com/siddhartham)!)
|
94
332
|
|
95
333
|
|
96
334
|
## 2.0.1 / 2014-08-21
|
97
335
|
|
98
336
|
### Bug fixes:
|
99
337
|
|
100
|
-
* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
|
338
|
+
* Load RR correctly when running test files directly. (Thanks, [@ktdreyer](https://github.com/ktdreyer)!)
|
101
339
|
|
102
340
|
|
103
341
|
### Notes:
|
104
342
|
|
105
|
-
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
|
343
|
+
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, [@kaspth](https://github.com/kaspth)!)
|
106
344
|
|
107
345
|
|
108
346
|
## 2.0.0 / 2014-05-09
|
@@ -118,19 +356,19 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
118
356
|
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
|
119
357
|
* attributes: `data-*` (Thanks, Rafael Franca!)
|
120
358
|
* URI attributes: `poster` and `preload`
|
121
|
-
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
|
122
|
-
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
|
359
|
+
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. [#65](https://github.com/flavorjones/loofah/issues/65) (Thanks, Matt Swanson!)
|
360
|
+
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. [#62](https://github.com/flavorjones/loofah/issues/62) (Thanks, Ben Atkins!)
|
123
361
|
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
|
124
362
|
|
125
363
|
### Bug fixes:
|
126
364
|
|
127
365
|
* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
|
128
|
-
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
|
366
|
+
* HTML5 sanitizers now allow negative arguments to CSS. [#64](https://github.com/flavorjones/loofah/issues/64) (Thanks, Jon Calhoun!)
|
129
367
|
|
130
368
|
|
131
369
|
## 1.2.1 (2012-04-14)
|
132
370
|
|
133
|
-
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
|
371
|
+
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. ([#32](https://github.com/flavorjones/loofah/issues/32))
|
134
372
|
|
135
373
|
|
136
374
|
## 1.2.0 (2011-08-08)
|
@@ -148,7 +386,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
148
386
|
* Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
|
149
387
|
Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
|
150
388
|
* Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
|
151
|
-
* Don't explode when encountering UTF-8 URIs. (#25, #29)
|
389
|
+
* Don't explode when encountering UTF-8 URIs. ([#25](https://github.com/flavorjones/loofah/issues/25), [#29](https://github.com/flavorjones/loofah/issues/29))
|
152
390
|
|
153
391
|
|
154
392
|
## 1.0.0 (2010-10-26)
|
@@ -166,7 +404,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
166
404
|
* New methods Loofah::HTML::Document#to_text and
|
167
405
|
Loofah::HTML::DocumentFragment#to_text do the right thing with
|
168
406
|
whitespace. Note that these methods are significantly slower than
|
169
|
-
#text. GH #12
|
407
|
+
#text. GH [#12](https://github.com/flavorjones/loofah/issues/12)
|
170
408
|
* Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
|
171
409
|
* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
|
172
410
|
will return unescaped HTML entities by passing :encode_special_chars => false.
|
@@ -180,7 +418,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
180
418
|
|
181
419
|
### Bug fixes:
|
182
420
|
|
183
|
-
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
|
421
|
+
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH [#17](https://github.com/flavorjones/loofah/issues/17)
|
184
422
|
|
185
423
|
|
186
424
|
## 0.4.3 (2010-01-29)
|
@@ -208,7 +446,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
208
446
|
|
209
447
|
### Bug fixes:
|
210
448
|
|
211
|
-
* Supporting Rails apps that aren't loading ActiveRecord. GH #10
|
449
|
+
* Supporting Rails apps that aren't loading ActiveRecord. GH [#10](https://github.com/flavorjones/loofah/issues/10)
|
212
450
|
|
213
451
|
### Miscellaneous:
|
214
452
|
|
@@ -269,13 +507,13 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
269
507
|
### Enhancements:
|
270
508
|
|
271
509
|
* when loaded in a Rails app, automatically extend ActiveRecord::Base
|
272
|
-
with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
|
510
|
+
with html_fragment and html_document. GH [#6](https://github.com/flavorjones/loofah/issues/6) (Thanks Josh Nichols!)
|
273
511
|
|
274
512
|
### Bugfixes:
|
275
513
|
|
276
514
|
* ActiveRecord scrubbing should generate strings instead of Document or
|
277
|
-
DocumentFragment objects. GH #5
|
278
|
-
* init.rb fixed to support installation as a Rails plugin. GH #6
|
515
|
+
DocumentFragment objects. GH [#5](https://github.com/flavorjones/loofah/issues/5)
|
516
|
+
* init.rb fixed to support installation as a Rails plugin. GH [#6](https://github.com/flavorjones/loofah/issues/6)
|
279
517
|
(Thanks Josh Nichols!)
|
280
518
|
|
281
519
|
|