loofah 2.3.1 → 2.19.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1196afab25d29644d1961e4516ac317a2c38dee3295f35354c468e6a9318fa55
-  data.tar.gz: 2e07ff641edb37d2b0dce2933288da4667d4b680a586912af9c171db7dfb0a63
+  metadata.gz: bd3edb0acdf2359d82564aca0bc13710d9f6c49157963d18953ff55bd7c14413
+  data.tar.gz: 3a6e11b7deb9cfb469aaf6ec919062687bd4215ef11980bded72ca298807610c
 SHA512:
-  metadata.gz: 37ac2cdb0d136da417cff62e3845c5b71769f044d8150c636a549dc9ca4cf98bcef4c6d2b6e653eff56922b95d812ed39310a406c49366c14791456ca905e8fe
-  data.tar.gz: 0fa3cdd75a3d2950801a1cfe7f8d4cad6bb73bbec67d24ba25980c09a565f6c95c5d664c1789ccd62486d1917c685a5b0f762cc073a054bbb0f02fb0222688f0
+  metadata.gz: 4970a6aa72265f60556dd6fd254375c86d3f83be23f3bbcc8b04df00ce0e801e8ef9e67d0a77ca6a21915be89226131c16a7f3540f02538cc2b9a369950dfebf
+  data.tar.gz: 27e3a06cc391ec3d9e3c966efdb6b4ce58e98c397ec87490d418406c17757e5cb0193edabaced30a9f24320c729e6730308e346610859f9f7c6d5fcc6f72cd56

data/CHANGELOG.md

@@ -1,29 +1,182 @@
 # Changelog
 
+## 2.19.1 / 2022-12-13
+
+### Security
+
+* Address CVE-2022-23514, inefficient regular expression complexity. See [GHSA-486f-hjj9-9vhh](https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh) for more information.
+* Address CVE-2022-23515, improper neutralization of data URIs. See [GHSA-228g-948r-83gx](https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx) for more information.
+* Address CVE-2022-23516, uncontrolled recursion. See [GHSA-3x8r-x6xp-q4vm](https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm) for more information.
+
+
+## 2.19.0 / 2022-09-14
+
+### Features
+
+* Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the [CSS Color Module Level 3](https://www.w3.org/TR/css-color-3/#svg-color) recommendation released 2022-01-18. [[#243](https://github.com/flavorjones/loofah/issues/243)]
+
+
+## 2.18.0 / 2022-05-11
+
+### Features
+
+* Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
+
+
+## 2.17.0 / 2022-04-28
+
+### Features
+
+* Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
+
+
+## 2.16.0 / 2022-04-01
+
+### Features
+
+* Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
+
+
+## 2.15.0 / 2022-03-14
+
+### Features
+
+* Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
+
+
+## 2.14.0 / 2022-02-11
+
+### Features
+
+* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
+
+
+## 2.13.0 / 2021-12-10
+
+### Bug fixes
+
+* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
+
+
+## 2.12.0 / 2021-08-11
+
+### Features
+
+* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
+
+
+## 2.11.0 / 2021-07-31
+
+### Features
+
+* Allow HTML5 element `wbr`.
+* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
+
+
+### Changes
+
+* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
+* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
+
+
+## 2.10.0 / 2021-06-06
+
+### Features
+
+* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
+
+
+## 2.9.1 / 2021-04-07
+
+### Bug fixes
+
+* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
+
+
+## 2.9.0 / 2021-01-14
+
+### Features
+
+* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
+
+
+## 2.8.0 / 2020-11-25
+
+### Features
+
+* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
+
+
+## 2.7.0 / 2020-08-26
+
+### Features
+
+* Allow CSS properties `page-break-before`, `page-break-inside`, and `page-break-after`. [[#190](https://github.com/flavorjones/loofah/issues/190)] (Thanks, [@ahorek](https://github.com/ahorek)!)
+
+
+### Fixes
+
+* Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!)
+
+
+## 2.6.0 / 2020-06-16
+
+### Features
+
+* Allow CSS `border-style` keywords. [[#188](https://github.com/flavorjones/loofah/issues/188)] (Thanks, [@tarcisiozf](https://github.com/tarcisiozf)!)
+
+
+## 2.5.0 / 2020-04-05
+
+### Features
+
+* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [[#178](https://github.com/flavorjones/loofah/issues/178)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
+
+
+### Fixes
+
+* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [[#80](https://github.com/flavorjones/loofah/issues/80)]
+
+
+### Other changes
+
+* Gem metadata being set [[#181](https://github.com/flavorjones/loofah/issues/181)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
+* Test files removed from gem file [[#180](https://github.com/flavorjones/loofah/issues/180),[#166](https://github.com/flavorjones/loofah/issues/166),[#159](https://github.com/flavorjones/loofah/issues/159)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas) and [@greysteil](https://github.com/greysteil)!)
+
+
+## 2.4.0 / 2019-11-25
+
+### Features
+
+* Allow CSS property `max-width` [[#175](https://github.com/flavorjones/loofah/issues/175)] (Thanks, [@bchaney](https://github.com/bchaney)!)
+* Allow CSS sizes expressed in `rem` [[#176](https://github.com/flavorjones/loofah/issues/176), [#177](https://github.com/flavorjones/loofah/issues/177)]
+* Add `frozen_string_literal: true` magic comment to all `lib` files. [[#118](https://github.com/flavorjones/loofah/issues/118)]
+
+
 ## 2.3.1 / 2019-10-22
 
 ### Security
 
 Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
 
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
+This CVE's public notice is at [#171](https://github.com/flavorjones/loofah/issues/171)
 
 
 ## 2.3.0 / 2019-09-28
 
 ### Features
 
-* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
-* Expand set of allowed CSS functions. [related to #122]
-* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
-* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
-* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
-* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
+* Expand set of allowed protocols to include `tel:` and `line:`. [[#104](https://github.com/flavorjones/loofah/issues/104), [#147](https://github.com/flavorjones/loofah/issues/147)]
+* Expand set of allowed CSS functions. [related to [#122](https://github.com/flavorjones/loofah/issues/122)]
+* Allow greater precision in shorthand CSS values. [[#149](https://github.com/flavorjones/loofah/issues/149)] (Thanks, [@danfstucky](https://github.com/danfstucky)!)
+* Allow CSS property `list-style` [[#162](https://github.com/flavorjones/loofah/issues/162)] (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
+* Allow CSS keywords `thick` and `thin` [[#168](https://github.com/flavorjones/loofah/issues/168)] (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
+* Allow HTML property `contenteditable` [[#167](https://github.com/flavorjones/loofah/issues/167)] (Thanks, [@andreynering](https://github.com/andreynering)!)
 
 
 ### Bug fixes
 
-* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)
+* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [[#165](https://github.com/flavorjones/loofah/issues/165)] (Thanks, [@asok](https://github.com/asok)!)
 
 
 ### Deprecations / Name Changes
@@ -34,7 +187,7 @@ The following method and constants are hereby deprecated, and will be completely
 * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
 * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
 
-Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
+Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
 
 
 ## 2.2.3 / 2018-10-30
@@ -43,7 +196,7 @@ Thanks to @JuanitoFatas for submitting these changes in #164 and for making the
 
 Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
 
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
+This CVE's public notice is at [#154](https://github.com/flavorjones/loofah/issues/154)
 
 
 ## Meta / 2018-10-27
@@ -70,76 +223,76 @@ attribute scrubbers should they need to address CVE-2018-8048.
 
 Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
 
-This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
+This CVE's public notice is at [#144](https://github.com/flavorjones/loofah/issues/144)
 
 
 ## 2.2.0 / 2018-02-11
 
 ### Features:
 
-* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
-* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
-* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
-* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!)
-* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!)
+* Support HTML5 `<main>` tag. [#133](https://github.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Recognize HTML5 block elements. [#136](https://github.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
+* Support SVG `<symbol>` tag. [#131](https://github.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
+* Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github.com/flavorjones/loofah/issues/122)/[#123](https://github.com/flavorjones/loofah/issues/123)/[#129](https://github.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
+* Whitelist CSS property `list-style-type`. [#68](https://github.com/flavorjones/loofah/issues/68)/[#137](https://github.com/flavorjones/loofah/issues/137)/[#142](https://github.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
 
 ### Bugfixes:
 
-* Properly handle nested `script` tags. #127.
+* Properly handle nested `script` tags. [#127](https://github.com/flavorjones/loofah/issues/127).
 
 
 ## 2.1.1 / 2017-09-24
 
 ### Bugfixes:
 
-* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
+* Removed warning for unused variable. [#124](https://github.com/flavorjones/loofah/issues/124) (Thanks, [@y-yagi](https://github.com/y-yagi)!)
 
 
 ## 2.1.0 / 2017-09-24
 
 ### Notes:
 
-* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
+* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. [#91](https://github.com/flavorjones/loofah/issues/91)
 
 
 ### Features:
 
-* Added :noopener HTML scrubber (Thanks, @tastycode!)
-* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
+* Added :noopener HTML scrubber (Thanks, [@tastycode](https://github.com/tastycode)!)
+* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. [#101](https://github.com/flavorjones/loofah/issues/101), [#120](https://github.com/flavorjones/loofah/issues/120). (Thanks, [@mrpasquini](https://github.com/mrpasquini)!)
 
 
 ### Bugfixes:
 
-* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
-* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
+* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). [#124](https://github.com/flavorjones/loofah/issues/124)
+* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. [#91](https://github.com/flavorjones/loofah/issues/91)
 
 
 ## 2.0.3 / 2015-08-17
 
 ### Bug fixes:
 
-* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
+* Revert support for negative values in CSS properties due to slow performance. [#90](https://github.com/flavorjones/loofah/issues/90) (Related to [#85](https://github.com/flavorjones/loofah/issues/85).)
 
 
 ## 2.0.2 / 2015-05-05
 
 ### Bug fixes:
 
-* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
-* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
-* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
+* Fix error with `#to_text` when Loofah::Helpers hadn't been required. [#75](https://github.com/flavorjones/loofah/issues/75)
+* Allow multi-word data attributes. [#84](https://github.com/flavorjones/loofah/issues/84) (Thanks, [@jstorimer](https://github.com/jstorimer)!)
+* Allow negative values in CSS properties. [#85](https://github.com/flavorjones/loofah/issues/85) (Thanks, [@siddhartham](https://github.com/siddhartham)!)
 
 
 ## 2.0.1 / 2014-08-21
 
 ### Bug fixes:
 
-* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
+* Load RR correctly when running test files directly. (Thanks, [@ktdreyer](https://github.com/ktdreyer)!)
 
 
 ### Notes:
 
-* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
+* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, [@kaspth](https://github.com/kaspth)!)
 
 
 ## 2.0.0 / 2014-05-09
@@ -155,19 +308,19 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
   * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
   * attributes: `data-*` (Thanks, Rafael Franca!)
   * URI attributes: `poster` and `preload`
-* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
-* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
+* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. [#65](https://github.com/flavorjones/loofah/issues/65) (Thanks, Matt Swanson!)
+* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. [#62](https://github.com/flavorjones/loofah/issues/62) (Thanks, Ben Atkins!)
 * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
 
 ### Bug fixes:
 
 * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
-* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
+* HTML5 sanitizers now allow negative arguments to CSS. [#64](https://github.com/flavorjones/loofah/issues/64) (Thanks, Jon Calhoun!)
 
 
 ## 1.2.1 (2012-04-14)
 
-* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
+* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. ([#32](https://github.com/flavorjones/loofah/issues/32))
 
 
 ## 1.2.0 (2011-08-08)
@@ -185,7 +338,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
   Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
 * Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
-* Don't explode when encountering UTF-8 URIs. (#25, #29)
+* Don't explode when encountering UTF-8 URIs. ([#25](https://github.com/flavorjones/loofah/issues/25), [#29](https://github.com/flavorjones/loofah/issues/29))
 
 
 ## 1.0.0 (2010-10-26)
@@ -203,7 +356,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 * New methods Loofah::HTML::Document#to_text and
   Loofah::HTML::DocumentFragment#to_text do the right thing with
   whitespace. Note that these methods are significantly slower than
-  #text. GH #12
+  #text. GH [#12](https://github.com/flavorjones/loofah/issues/12)
 * Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
 * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
   will return unescaped HTML entities by passing :encode_special_chars => false.
@@ -217,7 +370,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 
 ### Bug fixes:
 
-* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
+* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH [#17](https://github.com/flavorjones/loofah/issues/17)
 
 
 ## 0.4.3 (2010-01-29)
@@ -245,7 +398,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 
 ### Bug fixes:
 
-* Supporting Rails apps that aren't loading ActiveRecord. GH #10
+* Supporting Rails apps that aren't loading ActiveRecord. GH [#10](https://github.com/flavorjones/loofah/issues/10)
 
 ### Miscellaneous:
 
@@ -306,13 +459,13 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
 ### Enhancements:
 
 * when loaded in a Rails app, automatically extend ActiveRecord::Base
-  with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
+  with html_fragment and html_document. GH [#6](https://github.com/flavorjones/loofah/issues/6) (Thanks Josh Nichols!)
 
 ### Bugfixes:
 
 * ActiveRecord scrubbing should generate strings instead of Document or
-  DocumentFragment objects. GH #5
-* init.rb fixed to support installation as a Rails plugin. GH #6
+  DocumentFragment objects. GH [#5](https://github.com/flavorjones/loofah/issues/5)
+* init.rb fixed to support installation as a Rails plugin. GH [#6](https://github.com/flavorjones/loofah/issues/6)
   (Thanks Josh Nichols!)
 
 

data/README.md

@@ -1,15 +1,13 @@
 # Loofah
 
 * https://github.com/flavorjones/loofah
-* Docs: http://rubydoc.info/github/flavorjones/loofah/master/frames
+* Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
 * Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
 
 ## Status
 
-|System|Status|
-|--|--|
-| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
-| Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
+[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
+[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
 
 
 ## Description
@@ -135,13 +133,12 @@ and `text` to return plain text:
 doc.text    # => "ohai! div is safe "
 ```
 
-Also, `to_text` is available, which does the right thing with
-whitespace around block-level elements.
+Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
 
 ``` ruby
-doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
-doc.text    # => "TitleContent"           # probably not what you want
-doc.to_text # => "\nTitle\n\nContent\n"   # better
+doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
+doc.text    # => "TitleContentNext line"            # probably not what you want
+doc.to_text # => "\nTitle\n\nContent\nNext line\n"  # better
 ```
 
 ### Loofah::XML::Document and Loofah::XML::DocumentFragment
@@ -212,7 +209,7 @@ end
 Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
 ```
 
-=== Built-In HTML Scrubbers
+### Built-In HTML Scrubbers
 
 Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
 safelist algorithm:
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
 
 And the IRC channel is \#loofah on freenode.
 
+Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
+
+  [tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
+
 
 ## Security
 
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
 
 ## Thank You
 
-The following people have generously donated via the [Pledgie](http://pledgie.com) badge on the [Loofah github page](https://github.com/flavorjones/loofah):
+The following people have generously funded Loofah:
 
 * Bill Harding
 

data/lib/loofah/elements.rb

@@ -1,91 +1,95 @@
-require 'set'
+# frozen_string_literal: true
+require "set"
 
 module Loofah
   module Elements
     STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
-      address
-      blockquote
-      center
-      dir
-      div
-      dl
-      fieldset
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      hr
-      isindex
-      menu
-      noframes
-      noscript
-      ol
-      p
-      pre
-      table
-      ul
-    ]
+                                         address
+                                         blockquote
+                                         center
+                                         dir
+                                         div
+                                         dl
+                                         fieldset
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         hr
+                                         isindex
+                                         menu
+                                         noframes
+                                         noscript
+                                         ol
+                                         p
+                                         pre
+                                         table
+                                         ul
+                                       ]
 
     # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
     STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
-      address
-      article
-      aside
-      blockquote
-      canvas
-      dd
-      div
-      dl
-      dt
-      fieldset
-      figcaption
-      figure
-      footer
-      form
-      h1
-      h2
-      h3
-      h4
-      h5
-      h6
-      header
-      hgroup
-      hr
-      li
-      main
-      nav
-      noscript
-      ol
-      output
-      p
-      pre
-      section
-      table
-      tfoot
-      ul
-      video
-    ]
-
-    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
+                                         address
+                                         article
+                                         aside
+                                         blockquote
+                                         canvas
+                                         dd
+                                         div
+                                         dl
+                                         dt
+                                         fieldset
+                                         figcaption
+                                         figure
+                                         footer
+                                         form
+                                         h1
+                                         h2
+                                         h3
+                                         h4
+                                         h5
+                                         h6
+                                         header
+                                         hgroup
+                                         hr
+                                         li
+                                         main
+                                         nav
+                                         noscript
+                                         ol
+                                         output
+                                         p
+                                         pre
+                                         section
+                                         table
+                                         tfoot
+                                         ul
+                                         video
+                                       ]
 
     # The following elements may also be considered block-level
     # elements since they may contain block-level elements
     LOOSE_BLOCK_LEVEL = Set.new %w[dd
-      dt
-      frameset
-      li
-      tbody
-      td
-      tfoot
-      th
-      thead
-      tr
-    ]
+                                   dt
+                                   frameset
+                                   li
+                                   tbody
+                                   td
+                                   tfoot
+                                   th
+                                   thead
+                                   tr
+                                ]
 
+    # Elements that aren't block but should generate a newline in #to_text
+    INLINE_LINE_BREAK = Set.new(["br"])
+
+    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
+    LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
   end
 
   ::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements