loofah 2.2.3 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c22c1a749ff878b96f0c4a53e789834fa8072775c5abdccb68c388d6218b1bce
-  data.tar.gz: e8d00e6ff5d623b3f3d03ce83ee780a88e92138fcb71efff28194f8a7d87e5fc
+  metadata.gz: '0378734abbcf1f374d8d501038180ff4d9492e4282ffe4d6134322dd213fc80b'
+  data.tar.gz: 54955254f4179bf55adfc5bdaf3464c8a8f921f6e8e7fc92d9d2588b4fea02b1
 SHA512:
-  metadata.gz: 0d5a0160010d61a51dad8e31bc644e03454311b99b1d71c6eaea5458cfaaa228671b82db52cf2369b42c48b636b912ca0d812191ac886a5c1499c44fc5221239
-  data.tar.gz: ac479e283ef08b0df14938ec577a3aa4008d07ba3288232541928794cd0b9fe2512da88ac7fd2d123666dcad67d09c1a07307442610f61adbfd65f143ae339b5
+  metadata.gz: e80d9e87682cbfd18b6f86a10f9928c3b94fb7f123792d8284344cf65a878a1ee8258b408dac8df87791ca5beda99858dfbac6515334d87bc2d98b45cdf17802
+  data.tar.gz: da7fd4181e8f829837f0d1458e856b8ace6ed94fa13cdc227bc9432baaff0ec514f894b04b9d00157c6edddcff6a714284bc42a1c878a2ddb90d08b68931dba9

data/CHANGELOG.md

@@ -1,12 +1,83 @@
 # Changelog
 
+## 2.6.0 / 2020-06-16
+
+### Features
+
+* Allow CSS `border-style` keywords. [[#188](https://github.com/flavorjones/loofah/issues/188)] (Thanks, [@tarcisiozf](https://github.com/tarcisiozf)!)
+
+
+## 2.5.0 / 2020-04-05
+
+### Features
+
+* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [[#178](https://github.com/flavorjones/loofah/issues/178)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
+
+
+### Fixes
+
+* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [[#80](https://github.com/flavorjones/loofah/issues/80)]
+
+
+### Other changes
+
+* Gem metadata being set [[#181](https://github.com/flavorjones/loofah/issues/181)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
+* Test files removed from gem file [[#180](https://github.com/flavorjones/loofah/issues/180),[#166](https://github.com/flavorjones/loofah/issues/166),[#159](https://github.com/flavorjones/loofah/issues/159)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas) and [@greysteil](https://github.com/greysteil)!)
+
+
+## 2.4.0 / 2019-11-25
+
+### Features
+
+* Allow CSS property `max-width` [[#175](https://github.com/flavorjones/loofah/issues/175)] (Thanks, [@bchaney](https://github.com/bchaney)!)
+* Allow CSS sizes expressed in `rem` [[#176](https://github.com/flavorjones/loofah/issues/176), [#177](https://github.com/flavorjones/loofah/issues/177)]
+* Add `frozen_string_literal: true` magic comment to all `lib` files. [[#118](https://github.com/flavorjones/loofah/issues/118)]
+
+
+## 2.3.1 / 2019-10-22
+
+### Security
+
+Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
+
+This CVE's public notice is at [#171](https://github.com/flavorjones/loofah/issues/171)
+
+
+## 2.3.0 / 2019-09-28
+
+### Features
+
+* Expand set of allowed protocols to include `tel:` and `line:`. [[#104](https://github.com/flavorjones/loofah/issues/104), [#147](https://github.com/flavorjones/loofah/issues/147)]
+* Expand set of allowed CSS functions. [related to [#122](https://github.com/flavorjones/loofah/issues/122)]
+* Allow greater precision in shorthand CSS values. [[#149](https://github.com/flavorjones/loofah/issues/149)] (Thanks, [@danfstucky](https://github.com/danfstucky)!)
+* Allow CSS property `list-style` [[#162](https://github.com/flavorjones/loofah/issues/162)] (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
+* Allow CSS keywords `thick` and `thin` [[#168](https://github.com/flavorjones/loofah/issues/168)] (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
+* Allow HTML property `contenteditable` [[#167](https://github.com/flavorjones/loofah/issues/167)] (Thanks, [@andreynering](https://github.com/andreynering)!)
+
+
+### Bug fixes
+
+* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [[#165](https://github.com/flavorjones/loofah/issues/165)] (Thanks, [@asok](https://github.com/asok)!)
+
+
+### Deprecations / Name Changes
+
+The following method and constants are hereby deprecated, and will be completely removed in a future release:
+
+* Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
+* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
+* Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
+
+Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
+
+
 ## 2.2.3 / 2018-10-30
 
 ### Security
 
 Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
 
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+This CVE's public notice is at [#154](https://github.com/flavorjones/loofah/issues/154)
 
 
 ## Meta / 2018-10-27
@@ -33,76 +104,76 @@ attribute scrubbers should they need to address CVE-2018-8048.
 
 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
 
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
+This CVE's public notice is at [#144](https://github.com/flavorjones/loofah/issues/144)
 
 
 ## 2.2.0 / 2018-02-11
 
 ### Features:
 
-* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
-* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
-* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
-* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
-* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
+* Support HTML5 `<main>` tag. [#133](https://github.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Recognize HTML5 block elements. [#136](https://github.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Support SVG `<symbol>` tag. [#131](https://github.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
+* Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github.com/flavorjones/loofah/issues/122)/[#123](https://github.com/flavorjones/loofah/issues/123)/[#129](https://github.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
+* Whitelist CSS property `list-style-type`. [#68](https://github.com/flavorjones/loofah/issues/68)/[#137](https://github.com/flavorjones/loofah/issues/137)/[#142](https://github.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
 
 ### Bugfixes:
 
-* Properly handle nested `script` tags. #127.
+* Properly handle nested `script` tags. [#127](https://github.com/flavorjones/loofah/issues/127).
 
 
 ## 2.1.1 / 2017-09-24
 
 ### Bugfixes:
 
-* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
+* Removed warning for unused variable. [#124](https://github.com/flavorjones/loofah/issues/124) (Thanks, [@y-yagi](https://github.com/y-yagi)!)
 
 
 ## 2.1.0 / 2017-09-24
 
 ### Notes:
 
-* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
+* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. [#91](https://github.com/flavorjones/loofah/issues/91)
 
 
 ### Features:
 
-* Added :noopener HTML scrubber (Thanks, @tastycode!)
-* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
+* Added :noopener HTML scrubber (Thanks, [@tastycode](https://github.com/tastycode)!)
+* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. [#101](https://github.com/flavorjones/loofah/issues/101), [#120](https://github.com/flavorjones/loofah/issues/120). (Thanks, [@mrpasquini](https://github.com/mrpasquini)!)
 
 
 ### Bugfixes:
 
-* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
-* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
+* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). [#124](https://github.com/flavorjones/loofah/issues/124)
+* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. [#91](https://github.com/flavorjones/loofah/issues/91)
 
 
 ## 2.0.3 / 2015-08-17
 
 ### Bug fixes:
 
-* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
+* Revert support for negative values in CSS properties due to slow performance. [#90](https://github.com/flavorjones/loofah/issues/90) (Related to [#85](https://github.com/flavorjones/loofah/issues/85).)
 
 
 ## 2.0.2 / 2015-05-05
 
 ### Bug fixes:
 
-* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
-* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
-* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
+* Fix error with `#to_text` when Loofah::Helpers hadn't been required. [#75](https://github.com/flavorjones/loofah/issues/75)
+* Allow multi-word data attributes. [#84](https://github.com/flavorjones/loofah/issues/84) (Thanks, [@jstorimer](https://github.com/jstorimer)!)
+* Allow negative values in CSS properties. [#85](https://github.com/flavorjones/loofah/issues/85) (Thanks, [@siddhartham](https://github.com/siddhartham)!)
 
 
 ## 2.0.1 / 2014-08-21
 
 ### Bug fixes:
 
-* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
+* Load RR correctly when running test files directly. (Thanks, [@ktdreyer](https://github.com/ktdreyer)!)
 
 
 ### Notes:
 
-* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
+* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, [@kaspth](https://github.com/kaspth)!)
 
 
 ## 2.0.0 / 2014-05-09
@@ -118,19 +189,19 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
   * attributes: `data-*` (Thanks, Rafael Franca!)
   * URI attributes: `poster` and `preload`
-* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
-* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
+* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. [#65](https://github.com/flavorjones/loofah/issues/65) (Thanks, Matt Swanson!)
+* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. [#62](https://github.com/flavorjones/loofah/issues/62) (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
 
 ### Bug fixes:
 
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
-* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
+* HTML5 sanitizers now allow negative arguments to CSS. [#64](https://github.com/flavorjones/loofah/issues/64) (Thanks, Jon Calhoun!)
 
 
 ## 1.2.1 (2012-04-14)
 
-* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
+* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. ([#32](https://github.com/flavorjones/loofah/issues/32))
 
 
 ## 1.2.0 (2011-08-08)
@@ -148,7 +219,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
   Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
 * Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
-* Don't explode when encountering UTF-8 URIs. (#25, #29)
+* Don't explode when encountering UTF-8 URIs. ([#25](https://github.com/flavorjones/loofah/issues/25), [#29](https://github.com/flavorjones/loofah/issues/29))
 
 
 ## 1.0.0 (2010-10-26)
@@ -166,7 +237,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * New methods Loofah::HTML::Document#to_text and
   Loofah::HTML::DocumentFragment#to_text do the right thing with
   whitespace. Note that these methods are significantly slower than
-  #text. GH #12
+  #text. GH [#12](https://github.com/flavorjones/loofah/issues/12)
 * Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
   will return unescaped HTML entities by passing :encode_special_chars => false.
@@ -180,7 +251,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 
 ### Bug fixes:
 
-* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
+* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH [#17](https://github.com/flavorjones/loofah/issues/17)
 
 
 ## 0.4.3 (2010-01-29)
@@ -208,7 +279,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 
 ### Bug fixes:
 
-* Supporting Rails apps that aren't loading ActiveRecord. GH #10
+* Supporting Rails apps that aren't loading ActiveRecord. GH [#10](https://github.com/flavorjones/loofah/issues/10)
 
 ### Miscellaneous:
 
@@ -269,13 +340,13 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ### Enhancements:
 
 * when loaded in a Rails app, automatically extend ActiveRecord::Base
-  with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
+  with html_fragment and html_document. GH [#6](https://github.com/flavorjones/loofah/issues/6) (Thanks Josh Nichols!)
 
 ### Bugfixes:
 
 * ActiveRecord scrubbing should generate strings instead of Document or
-  DocumentFragment objects. GH #5
-* init.rb fixed to support installation as a Rails plugin. GH #6
+  DocumentFragment objects. GH [#5](https://github.com/flavorjones/loofah/issues/5)
+* init.rb fixed to support installation as a Rails plugin. GH [#6](https://github.com/flavorjones/loofah/issues/6)
   (Thanks Josh Nichols!)
 
 

data/Gemfile

@@ -7,16 +7,18 @@ source "https://rubygems.org/"
 gem "nokogiri", ">=1.5.9"
 gem "crass", "~>1.0.2"
 
-gem "rake", ">=0.8", :group => [:development, :test]
+gem "rake", "~>12.3", :group => [:development, :test]
 gem "minitest", "~>2.2", :group => [:development, :test]
 gem "rr", "~>1.2.0", :group => [:development, :test]
-gem "json", ">=0", :group => [:development, :test]
-gem "hoe-gemspec", ">=0", :group => [:development, :test]
-gem "hoe-debugging", ">=0", :group => [:development, :test]
-gem "hoe-bundler", ">=0", :group => [:development, :test]
-gem "hoe-git", ">=0", :group => [:development, :test]
-gem "concourse", ">=0.15.0", :group => [:development, :test]
-gem "rdoc", "~>4.0", :group => [:development, :test]
-gem "hoe", "~>3.16", :group => [:development, :test]
+gem "json", "~>2.2.0", :group => [:development, :test]
+gem "hoe-gemspec", "~>1.0", :group => [:development, :test]
+gem "hoe-debugging", "~>2.0", :group => [:development, :test]
+gem "hoe-bundler", "~>1.5", :group => [:development, :test]
+gem "hoe-git", "~>1.6", :group => [:development, :test]
+gem "hoe-markdown", "~>1.2", :group => [:development, :test]
+gem "concourse", ">=0.26.0", :group => [:development, :test]
+gem "rubocop", ">=0.76.0", :group => [:development, :test]
+gem "rdoc", ">=4.0", "<7", :group => [:development, :test]
+gem "hoe", "~>3.22", :group => [:development, :test]
 
 # vim: syntax=ruby

data/Manifest.txt

@@ -1,4 +1,3 @@
-.gemtest
 CHANGELOG.md
 Gemfile
 MIT-LICENSE.txt
@@ -16,25 +15,11 @@ lib/loofah/helpers.rb
 lib/loofah/html/document.rb
 lib/loofah/html/document_fragment.rb
 lib/loofah/html5/libxml2_workarounds.rb
+lib/loofah/html5/safelist.rb
 lib/loofah/html5/scrub.rb
-lib/loofah/html5/whitelist.rb
 lib/loofah/instance_methods.rb
 lib/loofah/metahelpers.rb
 lib/loofah/scrubber.rb
 lib/loofah/scrubbers.rb
 lib/loofah/xml/document.rb
 lib/loofah/xml/document_fragment.rb
-test/assets/msword.html
-test/assets/testdata_sanitizer_tests1.dat
-test/helper.rb
-test/html5/test_sanitizer.rb
-test/integration/test_ad_hoc.rb
-test/integration/test_helpers.rb
-test/integration/test_html.rb
-test/integration/test_scrubbers.rb
-test/integration/test_xml.rb
-test/unit/test_api.rb
-test/unit/test_encoding.rb
-test/unit/test_helpers.rb
-test/unit/test_scrubber.rb
-test/unit/test_scrubbers.rb

data/README.md

@@ -8,29 +8,22 @@
 
 |System|Status|
 |--|--|
-| Concourse | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
+| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
 | Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
-| Version Eye | [![Version Eye](https://www.versioneye.com/ruby/loofah/badge.png)](https://www.versioneye.com/ruby/loofah) |
 
 
 ## Description
 
-Loofah is a general library for manipulating and transforming HTML/XML
-documents and fragments. It's built on top of Nokogiri and libxml2, so
-it's fast and has a nice API.
+Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
 
-Loofah excels at HTML sanitization (XSS prevention). It includes some
-nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-most likely won't make your codes less secure. (These statements have
-not been evaluated by Netexperts.)
+Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
 
-ActiveRecord extensions for sanitization are available in the
-[`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
+ActiveRecord extensions for sanitization are available in the [`loofah-activerecord` gem](https://github.com/flavorjones/loofah-activerecord).
 
 
 ## Features
 
-* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists).
+* Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's safelists).
 * Common HTML sanitizing tasks are built-in:
   * _Strip_ unsafe tags, leaving behind only the inner text.
   * _Prune_ unsafe tags and their subtrees, removing all traces that they ever existed.
@@ -222,7 +215,7 @@ Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
 === Built-In HTML Scrubbers
 
 Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
-whitelist algorithm:
+safelist algorithm:
 
 ``` ruby
 doc.scrub!(:strip)       # replaces unknown/unsafe tags with their inner text

data/Rakefile

@@ -1,34 +1,40 @@
-require 'rubygems'
-gem 'hoe', '>= 2.3.0'
-require 'hoe'
-require 'concourse'
+require "rubygems"
+require "hoe"
+require "concourse"
 
 Hoe.plugin :git
 Hoe.plugin :gemspec
 Hoe.plugin :bundler
 Hoe.plugin :debugging
+Hoe.plugin :markdown
 
 Hoe.spec "loofah" do
   developer "Mike Dalessio", "mike.dalessio@gmail.com"
   developer "Bryan Helmkamp", "bryan@brynary.com"
 
-  self.extra_rdoc_files = FileList["*.md"]
-  self.history_file     = "CHANGELOG.md"
-  self.readme_file      = "README.md"
-  self.license          "MIT"
+  self.license "MIT"
+  self.urls = {
+    "home" => "https://github.com/flavorjones/loofah",
+    "bugs" => "https://github.com/flavorjones/loofah/issues",
+    "doco" => "https://www.rubydoc.info/gems/loofah/",
+    "clog" => "https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md",
+    "code" => "https://github.com/flavorjones/loofah",
+  }
 
-  extra_deps     << ["nokogiri", ">=1.5.9"]
-  extra_deps     << ["crass", "~> 1.0.2"]
+  extra_deps << ["nokogiri", ">=1.5.9"]
+  extra_deps << ["crass", "~> 1.0.2"]
 
-  extra_dev_deps << ["rake", ">=0.8"]
+  extra_dev_deps << ["rake", "~> 12.3"]
   extra_dev_deps << ["minitest", "~>2.2"]
   extra_dev_deps << ["rr", "~>1.2.0"]
-  extra_dev_deps << ["json", ">=0"]
-  extra_dev_deps << ["hoe-gemspec", ">=0"]
-  extra_dev_deps << ["hoe-debugging", ">=0"]
-  extra_dev_deps << ["hoe-bundler", ">=0"]
-  extra_dev_deps << ["hoe-git", ">=0"]
-  extra_dev_deps << ["concourse", ">=0.15.0"]
+  extra_dev_deps << ["json", "~> 2.2.0"]
+  extra_dev_deps << ["hoe-gemspec", "~> 1.0"]
+  extra_dev_deps << ["hoe-debugging", "~> 2.0"]
+  extra_dev_deps << ["hoe-bundler", "~> 1.5"]
+  extra_dev_deps << ["hoe-git", "~> 1.6"]
+  extra_dev_deps << ["hoe-markdown", "~> 1.2"]
+  extra_dev_deps << ["concourse", ">=0.26.0"]
+  extra_dev_deps << ["rubocop", ">=0.76.0"]
 end
 
 task :gemspec do
@@ -71,9 +77,21 @@ task :doc_upload_to_rubyforge => :docs do
   end
 end
 
-desc "generate whitelists from W3C specifications"
-task :generate_whitelists do
-  load "tasks/generate-whitelists"
+desc "generate safelists from W3C specifications"
+task :generate_safelists do
+  load "tasks/generate-safelists"
 end
 
-Concourse.new("loofah").create_tasks!
+task :rubocop => [:rubocop_security, :rubocop_frozen_string_literals]
+task :rubocop_security do
+  sh "rubocop lib --only Security"
+end
+task :rubocop_frozen_string_literals do
+  sh "rubocop lib --auto-correct --only Style/FrozenStringLiteralComment"
+end
+Rake::Task[:test].prerequisites << :rubocop
+
+Concourse.new("loofah", fly_target: "ci") do |c|
+  c.add_pipeline "loofah", "loofah.yml"
+  c.add_pipeline "loofah-pr", "loofah-pr.yml"
+end