loofah 2.5.0 → 2.18.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of loofah might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +157 -47
- data/README.md +13 -12
- data/lib/loofah/elements.rb +5 -2
- data/lib/loofah/html5/safelist.rb +99 -8
- data/lib/loofah/html5/scrub.rb +51 -24
- data/lib/loofah/instance_methods.rb +9 -5
- data/lib/loofah/scrubbers.rb +7 -2
- data/lib/loofah/version.rb +5 -0
- data/lib/loofah.rb +13 -15
- metadata +41 -124
- data/Gemfile +0 -23
- data/Manifest.txt +0 -25
- data/Rakefile +0 -97
- data/benchmark/benchmark.rb +0 -154
- data/benchmark/fragment.html +0 -96
- data/benchmark/helper.rb +0 -73
- data/benchmark/www.slashdot.com.html +0 -2560
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 187d7d426a2923ded1dd7ac225935029e5c140a93d7e73d32108737dfdf8ce9e
|
4
|
+
data.tar.gz: 9506581bec512a6c38489019966a2067d01a28b76b1472bb5b865cd04bea3ebf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 67ee54e2fc329df7dc146e2fa2a9c82ea83e126145d9192d0e82e8efdf2fc46495b186aca31265d3f56f0348de54d945f6055958a39ad7666caee0e128226f6d
|
7
|
+
data.tar.gz: 786b5da54c4ea19b48123849fc350d0c6b18cdafc076c0875590d2944f9f01ff1825a9714d40abf22400b31ea9deb571ba5bacfb263622abe7301abf3d5eb936
|
data/CHANGELOG.md
CHANGED
@@ -1,30 +1,140 @@
|
|
1
1
|
# Changelog
|
2
2
|
|
3
|
+
## 2.18.0 / 2022-05-11
|
4
|
+
|
5
|
+
### Features
|
6
|
+
|
7
|
+
* Allow CSS property `aspect-ratio`. [[#236](https://github.com/flavorjones/loofah/issues/236)] (Thanks, [@louim](https://github.com/louim)!)
|
8
|
+
|
9
|
+
|
10
|
+
## 2.17.0 / 2022-04-28
|
11
|
+
|
12
|
+
### Features
|
13
|
+
|
14
|
+
* Allow ARIA attributes. [[#232](https://github.com/flavorjones/loofah/issues/232), [#233](https://github.com/flavorjones/loofah/issues/233)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
15
|
+
|
16
|
+
|
17
|
+
## 2.16.0 / 2022-04-01
|
18
|
+
|
19
|
+
### Features
|
20
|
+
|
21
|
+
* Allow MathML elements `menclose` and `ms`, and MathML attributes `dir`, `href`, `lquote`, `mathsize`, `notation`, and `rquote`. [[#231](https://github.com/flavorjones/loofah/issues/231)] (Thanks, [@nick-desteffen](https://github.com/nick-desteffen)!)
|
22
|
+
|
23
|
+
|
24
|
+
## 2.15.0 / 2022-03-14
|
25
|
+
|
26
|
+
### Features
|
27
|
+
|
28
|
+
* Expand set of allowed protocols to include `sms:`. [[#228](https://github.com/flavorjones/loofah/issues/228)] (Thanks, [@brendon](https://github.com/brendon)!)
|
29
|
+
|
30
|
+
|
31
|
+
## 2.14.0 / 2022-02-11
|
32
|
+
|
33
|
+
### Features
|
34
|
+
|
35
|
+
* The `#to_text` method on `Loofah::HTML::{Document,DocumentFragment}` replaces `<br>` line break elements with a newline. [[#225](https://github.com/flavorjones/loofah/issues/225)]
|
36
|
+
|
37
|
+
|
38
|
+
## 2.13.0 / 2021-12-10
|
39
|
+
|
40
|
+
### Bug fixes
|
41
|
+
|
42
|
+
* Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [[#221](https://github.com/flavorjones/loofah/issues/221)]
|
43
|
+
|
44
|
+
|
45
|
+
## 2.12.0 / 2021-08-11
|
46
|
+
|
47
|
+
### Features
|
48
|
+
|
49
|
+
* Support empty HTML5 data attributes. [[#215](https://github.com/flavorjones/loofah/issues/215)]
|
50
|
+
|
51
|
+
|
52
|
+
## 2.11.0 / 2021-07-31
|
53
|
+
|
54
|
+
### Features
|
55
|
+
|
56
|
+
* Allow HTML5 element `wbr`.
|
57
|
+
* Allow all CSS property values for `border-collapse`. [[#201](https://github.com/flavorjones/loofah/issues/201)]
|
58
|
+
|
59
|
+
|
60
|
+
### Changes
|
61
|
+
|
62
|
+
* Deprecating `Loofah::HTML5::SafeList::VOID_ELEMENTS` which is not a canonical list of void HTML4 or HTML5 elements.
|
63
|
+
* Removed some elements from `Loofah::HTML5::SafeList::VOID_ELEMENTS` that either are not acceptable elements or aren't considered "void" by libxml2.
|
64
|
+
|
65
|
+
|
66
|
+
## 2.10.0 / 2021-06-06
|
67
|
+
|
68
|
+
### Features
|
69
|
+
|
70
|
+
* Allow CSS properties `overflow-x` and `overflow-y`. [[#206](https://github.com/flavorjones/loofah/issues/206)] (Thanks, [@sampokuokkanen](https://github.com/sampokuokkanen)!)
|
71
|
+
|
72
|
+
|
73
|
+
## 2.9.1 / 2021-04-07
|
74
|
+
|
75
|
+
### Bug fixes
|
76
|
+
|
77
|
+
* Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [[#202](https://github.com/flavorjones/loofah/issues/202)]
|
78
|
+
|
79
|
+
|
80
|
+
## 2.9.0 / 2021-01-14
|
81
|
+
|
82
|
+
### Features
|
83
|
+
|
84
|
+
* Handle CSS functions in a CSS shorthand property (like `background`). [[#199](https://github.com/flavorjones/loofah/issues/199), [#200](https://github.com/flavorjones/loofah/issues/200)]
|
85
|
+
|
86
|
+
|
87
|
+
## 2.8.0 / 2020-11-25
|
88
|
+
|
89
|
+
### Features
|
90
|
+
|
91
|
+
* Allow CSS properties `order`, `flex-direction`, `flex-grow`, `flex-wrap`, `flex-shrink`, `flex-flow`, `flex-basis`, `flex`, `justify-content`, `align-self`, `align-items`, and `align-content`. [[#197](https://github.com/flavorjones/loofah/issues/197)] (Thanks, [@miguelperez](https://github.com/miguelperez)!)
|
92
|
+
|
93
|
+
|
94
|
+
## 2.7.0 / 2020-08-26
|
95
|
+
|
96
|
+
### Features
|
97
|
+
|
98
|
+
* Allow CSS properties `page-break-before`, `page-break-inside`, and `page-break-after`. [[#190](https://github.com/flavorjones/loofah/issues/190)] (Thanks, [@ahorek](https://github.com/ahorek)!)
|
99
|
+
|
100
|
+
|
101
|
+
### Fixes
|
102
|
+
|
103
|
+
* Don't drop the `!important` rule from some CSS properties. [[#191](https://github.com/flavorjones/loofah/issues/191)] (Thanks, [@b7kich](https://github.com/b7kich)!)
|
104
|
+
|
105
|
+
|
106
|
+
## 2.6.0 / 2020-06-16
|
107
|
+
|
108
|
+
### Features
|
109
|
+
|
110
|
+
* Allow CSS `border-style` keywords. [[#188](https://github.com/flavorjones/loofah/issues/188)] (Thanks, [@tarcisiozf](https://github.com/tarcisiozf)!)
|
111
|
+
|
112
|
+
|
3
113
|
## 2.5.0 / 2020-04-05
|
4
114
|
|
5
115
|
### Features
|
6
116
|
|
7
|
-
* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)
|
117
|
+
* Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [[#178](https://github.com/flavorjones/loofah/issues/178)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
|
8
118
|
|
9
119
|
|
10
120
|
### Fixes
|
11
121
|
|
12
|
-
* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [#80]
|
122
|
+
* Remove comments from `Loofah::HTML::Document`s that exist outside the `html` element. [[#80](https://github.com/flavorjones/loofah/issues/80)]
|
13
123
|
|
14
124
|
|
15
125
|
### Other changes
|
16
126
|
|
17
|
-
* Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
|
18
|
-
* Test files removed from gem file [#180
|
127
|
+
* Gem metadata being set [[#181](https://github.com/flavorjones/loofah/issues/181)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas)!)
|
128
|
+
* Test files removed from gem file [[#180](https://github.com/flavorjones/loofah/issues/180),[#166](https://github.com/flavorjones/loofah/issues/166),[#159](https://github.com/flavorjones/loofah/issues/159)] (Thanks, [@JuanitoFatas](https://github.com/JuanitoFatas) and [@greysteil](https://github.com/greysteil)!)
|
19
129
|
|
20
130
|
|
21
131
|
## 2.4.0 / 2019-11-25
|
22
132
|
|
23
133
|
### Features
|
24
134
|
|
25
|
-
* Allow CSS property `max-width` [#175] (Thanks, @bchaney!)
|
26
|
-
* Allow CSS sizes expressed in `rem` [#176, #177]
|
27
|
-
* Add `frozen_string_literal: true` magic comment to all `lib` files. [#118]
|
135
|
+
* Allow CSS property `max-width` [[#175](https://github.com/flavorjones/loofah/issues/175)] (Thanks, [@bchaney](https://github.com/bchaney)!)
|
136
|
+
* Allow CSS sizes expressed in `rem` [[#176](https://github.com/flavorjones/loofah/issues/176), [#177](https://github.com/flavorjones/loofah/issues/177)]
|
137
|
+
* Add `frozen_string_literal: true` magic comment to all `lib` files. [[#118](https://github.com/flavorjones/loofah/issues/118)]
|
28
138
|
|
29
139
|
|
30
140
|
## 2.3.1 / 2019-10-22
|
@@ -33,24 +143,24 @@
|
|
33
143
|
|
34
144
|
Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
|
35
145
|
|
36
|
-
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171
|
146
|
+
This CVE's public notice is at [#171](https://github.com/flavorjones/loofah/issues/171)
|
37
147
|
|
38
148
|
|
39
149
|
## 2.3.0 / 2019-09-28
|
40
150
|
|
41
151
|
### Features
|
42
152
|
|
43
|
-
* Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147]
|
44
|
-
* Expand set of allowed CSS functions. [related to #122]
|
45
|
-
* Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
|
46
|
-
* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
|
47
|
-
* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
|
48
|
-
* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
|
153
|
+
* Expand set of allowed protocols to include `tel:` and `line:`. [[#104](https://github.com/flavorjones/loofah/issues/104), [#147](https://github.com/flavorjones/loofah/issues/147)]
|
154
|
+
* Expand set of allowed CSS functions. [related to [#122](https://github.com/flavorjones/loofah/issues/122)]
|
155
|
+
* Allow greater precision in shorthand CSS values. [[#149](https://github.com/flavorjones/loofah/issues/149)] (Thanks, [@danfstucky](https://github.com/danfstucky)!)
|
156
|
+
* Allow CSS property `list-style` [[#162](https://github.com/flavorjones/loofah/issues/162)] (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
|
157
|
+
* Allow CSS keywords `thick` and `thin` [[#168](https://github.com/flavorjones/loofah/issues/168)] (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
|
158
|
+
* Allow HTML property `contenteditable` [[#167](https://github.com/flavorjones/loofah/issues/167)] (Thanks, [@andreynering](https://github.com/andreynering)!)
|
49
159
|
|
50
160
|
|
51
161
|
### Bug fixes
|
52
162
|
|
53
|
-
* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)
|
163
|
+
* CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [[#165](https://github.com/flavorjones/loofah/issues/165)] (Thanks, [@asok](https://github.com/asok)!)
|
54
164
|
|
55
165
|
|
56
166
|
### Deprecations / Name Changes
|
@@ -61,7 +171,7 @@ The following method and constants are hereby deprecated, and will be completely
|
|
61
171
|
* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
|
62
172
|
* Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
|
63
173
|
|
64
|
-
Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
|
174
|
+
Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
|
65
175
|
|
66
176
|
|
67
177
|
## 2.2.3 / 2018-10-30
|
@@ -70,7 +180,7 @@ Thanks to @JuanitoFatas for submitting these changes in #164 and for making the
|
|
70
180
|
|
71
181
|
Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
|
72
182
|
|
73
|
-
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/154
|
183
|
+
This CVE's public notice is at [#154](https://github.com/flavorjones/loofah/issues/154)
|
74
184
|
|
75
185
|
|
76
186
|
## Meta / 2018-10-27
|
@@ -97,76 +207,76 @@ attribute scrubbers should they need to address CVE-2018-8048.
|
|
97
207
|
|
98
208
|
Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
|
99
209
|
|
100
|
-
This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
210
|
+
This CVE's public notice is at [#144](https://github.com/flavorjones/loofah/issues/144)
|
101
211
|
|
102
212
|
|
103
213
|
## 2.2.0 / 2018-02-11
|
104
214
|
|
105
215
|
### Features:
|
106
216
|
|
107
|
-
* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
|
108
|
-
* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
|
109
|
-
* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
|
110
|
-
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122
|
111
|
-
* Whitelist CSS property `list-style-type`. #68
|
217
|
+
* Support HTML5 `<main>` tag. [#133](https://github.com/flavorjones/loofah/issues/133) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
|
218
|
+
* Recognize HTML5 block elements. [#136](https://github.com/flavorjones/loofah/issues/136) (Thanks, [@MothOnMars](https://github.com/MothOnMars)!)
|
219
|
+
* Support SVG `<symbol>` tag. [#131](https://github.com/flavorjones/loofah/issues/131) (Thanks, [@baopham](https://github.com/baopham)!)
|
220
|
+
* Support for whitelisting CSS functions, initially just `calc` and `rgb`. [#122](https://github.com/flavorjones/loofah/issues/122)/[#123](https://github.com/flavorjones/loofah/issues/123)/[#129](https://github.com/flavorjones/loofah/issues/129) (Thanks, [@NikoRoberts](https://github.com/NikoRoberts)!)
|
221
|
+
* Whitelist CSS property `list-style-type`. [#68](https://github.com/flavorjones/loofah/issues/68)/[#137](https://github.com/flavorjones/loofah/issues/137)/[#142](https://github.com/flavorjones/loofah/issues/142) (Thanks, [@andela-ysanni](https://github.com/andela-ysanni) and [@NikoRoberts](https://github.com/NikoRoberts)!)
|
112
222
|
|
113
223
|
### Bugfixes:
|
114
224
|
|
115
|
-
* Properly handle nested `script` tags. #127.
|
225
|
+
* Properly handle nested `script` tags. [#127](https://github.com/flavorjones/loofah/issues/127).
|
116
226
|
|
117
227
|
|
118
228
|
## 2.1.1 / 2017-09-24
|
119
229
|
|
120
230
|
### Bugfixes:
|
121
231
|
|
122
|
-
* Removed warning for unused variable. #124 (Thanks, @y-yagi!)
|
232
|
+
* Removed warning for unused variable. [#124](https://github.com/flavorjones/loofah/issues/124) (Thanks, [@y-yagi](https://github.com/y-yagi)!)
|
123
233
|
|
124
234
|
|
125
235
|
## 2.1.0 / 2017-09-24
|
126
236
|
|
127
237
|
### Notes:
|
128
238
|
|
129
|
-
* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91
|
239
|
+
* Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. [#91](https://github.com/flavorjones/loofah/issues/91)
|
130
240
|
|
131
241
|
|
132
242
|
### Features:
|
133
243
|
|
134
|
-
* Added :noopener HTML scrubber (Thanks, @tastycode!)
|
135
|
-
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!)
|
244
|
+
* Added :noopener HTML scrubber (Thanks, [@tastycode](https://github.com/tastycode)!)
|
245
|
+
* Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. [#101](https://github.com/flavorjones/loofah/issues/101), [#120](https://github.com/flavorjones/loofah/issues/120). (Thanks, [@mrpasquini](https://github.com/mrpasquini)!)
|
136
246
|
|
137
247
|
|
138
248
|
### Bugfixes:
|
139
249
|
|
140
|
-
* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124
|
141
|
-
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91
|
250
|
+
* The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). [#124](https://github.com/flavorjones/loofah/issues/124)
|
251
|
+
* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. [#91](https://github.com/flavorjones/loofah/issues/91)
|
142
252
|
|
143
253
|
|
144
254
|
## 2.0.3 / 2015-08-17
|
145
255
|
|
146
256
|
### Bug fixes:
|
147
257
|
|
148
|
-
* Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.)
|
258
|
+
* Revert support for negative values in CSS properties due to slow performance. [#90](https://github.com/flavorjones/loofah/issues/90) (Related to [#85](https://github.com/flavorjones/loofah/issues/85).)
|
149
259
|
|
150
260
|
|
151
261
|
## 2.0.2 / 2015-05-05
|
152
262
|
|
153
263
|
### Bug fixes:
|
154
264
|
|
155
|
-
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75
|
156
|
-
* Allow multi-word data attributes. #84 (Thanks, @jstorimer!)
|
157
|
-
* Allow negative values in CSS properties. #85 (Thanks, @siddhartham!)
|
265
|
+
* Fix error with `#to_text` when Loofah::Helpers hadn't been required. [#75](https://github.com/flavorjones/loofah/issues/75)
|
266
|
+
* Allow multi-word data attributes. [#84](https://github.com/flavorjones/loofah/issues/84) (Thanks, [@jstorimer](https://github.com/jstorimer)!)
|
267
|
+
* Allow negative values in CSS properties. [#85](https://github.com/flavorjones/loofah/issues/85) (Thanks, [@siddhartham](https://github.com/siddhartham)!)
|
158
268
|
|
159
269
|
|
160
270
|
## 2.0.1 / 2014-08-21
|
161
271
|
|
162
272
|
### Bug fixes:
|
163
273
|
|
164
|
-
* Load RR correctly when running test files directly. (Thanks, @ktdreyer!)
|
274
|
+
* Load RR correctly when running test files directly. (Thanks, [@ktdreyer](https://github.com/ktdreyer)!)
|
165
275
|
|
166
276
|
|
167
277
|
### Notes:
|
168
278
|
|
169
|
-
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!)
|
279
|
+
* Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, [@kaspth](https://github.com/kaspth)!)
|
170
280
|
|
171
281
|
|
172
282
|
## 2.0.0 / 2014-05-09
|
@@ -182,19 +292,19 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
182
292
|
* tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time`
|
183
293
|
* attributes: `data-*` (Thanks, Rafael Franca!)
|
184
294
|
* URI attributes: `poster` and `preload`
|
185
|
-
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. #65 (Thanks, Matt Swanson!)
|
186
|
-
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!)
|
295
|
+
* Addition of the `:unprintable` scrubber to remove unprintable characters from text nodes. [#65](https://github.com/flavorjones/loofah/issues/65) (Thanks, Matt Swanson!)
|
296
|
+
* `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. [#62](https://github.com/flavorjones/loofah/issues/62) (Thanks, Ben Atkins!)
|
187
297
|
* HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!)
|
188
298
|
|
189
299
|
### Bug fixes:
|
190
300
|
|
191
301
|
* HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!)
|
192
|
-
* HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!)
|
302
|
+
* HTML5 sanitizers now allow negative arguments to CSS. [#64](https://github.com/flavorjones/loofah/issues/64) (Thanks, Jon Calhoun!)
|
193
303
|
|
194
304
|
|
195
305
|
## 1.2.1 (2012-04-14)
|
196
306
|
|
197
|
-
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. (#32)
|
307
|
+
* Declaring encoding in html5/scrub.rb. Without this, use of the ruby -KU option would cause havoc. ([#32](https://github.com/flavorjones/loofah/issues/32))
|
198
308
|
|
199
309
|
|
200
310
|
## 1.2.0 (2011-08-08)
|
@@ -212,7 +322,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
212
322
|
* Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230).
|
213
323
|
Up to date with HTML5lib ruby code as of 1723:7ee6a0331856.
|
214
324
|
* Whitelists (which are not part of the public API) are now Sets (were previously Arrays).
|
215
|
-
* Don't explode when encountering UTF-8 URIs. (#25, #29)
|
325
|
+
* Don't explode when encountering UTF-8 URIs. ([#25](https://github.com/flavorjones/loofah/issues/25), [#29](https://github.com/flavorjones/loofah/issues/29))
|
216
326
|
|
217
327
|
|
218
328
|
## 1.0.0 (2010-10-26)
|
@@ -230,7 +340,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
230
340
|
* New methods Loofah::HTML::Document#to_text and
|
231
341
|
Loofah::HTML::DocumentFragment#to_text do the right thing with
|
232
342
|
whitespace. Note that these methods are significantly slower than
|
233
|
-
#text. GH #12
|
343
|
+
#text. GH [#12](https://github.com/flavorjones/loofah/issues/12)
|
234
344
|
* Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements.
|
235
345
|
* Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text
|
236
346
|
will return unescaped HTML entities by passing :encode_special_chars => false.
|
@@ -244,7 +354,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
244
354
|
|
245
355
|
### Bug fixes:
|
246
356
|
|
247
|
-
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17
|
357
|
+
* Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH [#17](https://github.com/flavorjones/loofah/issues/17)
|
248
358
|
|
249
359
|
|
250
360
|
## 0.4.3 (2010-01-29)
|
@@ -272,7 +382,7 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
272
382
|
|
273
383
|
### Bug fixes:
|
274
384
|
|
275
|
-
* Supporting Rails apps that aren't loading ActiveRecord. GH #10
|
385
|
+
* Supporting Rails apps that aren't loading ActiveRecord. GH [#10](https://github.com/flavorjones/loofah/issues/10)
|
276
386
|
|
277
387
|
### Miscellaneous:
|
278
388
|
|
@@ -333,13 +443,13 @@ This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144
|
|
333
443
|
### Enhancements:
|
334
444
|
|
335
445
|
* when loaded in a Rails app, automatically extend ActiveRecord::Base
|
336
|
-
with html_fragment and html_document. GH #6 (Thanks Josh Nichols!)
|
446
|
+
with html_fragment and html_document. GH [#6](https://github.com/flavorjones/loofah/issues/6) (Thanks Josh Nichols!)
|
337
447
|
|
338
448
|
### Bugfixes:
|
339
449
|
|
340
450
|
* ActiveRecord scrubbing should generate strings instead of Document or
|
341
|
-
DocumentFragment objects. GH #5
|
342
|
-
* init.rb fixed to support installation as a Rails plugin. GH #6
|
451
|
+
DocumentFragment objects. GH [#5](https://github.com/flavorjones/loofah/issues/5)
|
452
|
+
* init.rb fixed to support installation as a Rails plugin. GH [#6](https://github.com/flavorjones/loofah/issues/6)
|
343
453
|
(Thanks Josh Nichols!)
|
344
454
|
|
345
455
|
|
data/README.md
CHANGED
@@ -1,15 +1,13 @@
|
|
1
1
|
# Loofah
|
2
2
|
|
3
3
|
* https://github.com/flavorjones/loofah
|
4
|
-
* Docs: http://rubydoc.info/github/flavorjones/loofah/
|
4
|
+
* Docs: http://rubydoc.info/github/flavorjones/loofah/main/frames
|
5
5
|
* Mailing list: [loofah-talk@googlegroups.com](https://groups.google.com/forum/#!forum/loofah-talk)
|
6
6
|
|
7
7
|
## Status
|
8
8
|
|
9
|
-
|
10
|
-
|
11
|
-
| Concourse CI | [![Concourse CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master) |
|
12
|
-
| Code Climate | [![Code Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah) |
|
9
|
+
[![ci](https://github.com/flavorjones/loofah/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/flavorjones/loofah/actions/workflows/ci.yml)
|
10
|
+
[![Tidelift dependencies](https://tidelift.com/badges/package/rubygems/loofah)](https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=rubygems-loofah&utm_medium=referral&utm_campaign=readme)
|
13
11
|
|
14
12
|
|
15
13
|
## Description
|
@@ -135,13 +133,12 @@ and `text` to return plain text:
|
|
135
133
|
doc.text # => "ohai! div is safe "
|
136
134
|
```
|
137
135
|
|
138
|
-
Also, `to_text` is available, which does the right thing with
|
139
|
-
whitespace around block-level elements.
|
136
|
+
Also, `to_text` is available, which does the right thing with whitespace around block-level and line break elements.
|
140
137
|
|
141
138
|
``` ruby
|
142
|
-
doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
|
143
|
-
doc.text # => "
|
144
|
-
doc.to_text # => "\nTitle\n\nContent\n"
|
139
|
+
doc = Loofah.fragment("<h1>Title</h1><div>Content<br>Next line</div>")
|
140
|
+
doc.text # => "TitleContentNext line" # probably not what you want
|
141
|
+
doc.to_text # => "\nTitle\n\nContent\nNext line\n" # better
|
145
142
|
```
|
146
143
|
|
147
144
|
### Loofah::XML::Document and Loofah::XML::DocumentFragment
|
@@ -212,7 +209,7 @@ end
|
|
212
209
|
Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
|
213
210
|
```
|
214
211
|
|
215
|
-
|
212
|
+
### Built-In HTML Scrubbers
|
216
213
|
|
217
214
|
Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
|
218
215
|
safelist algorithm:
|
@@ -301,6 +298,10 @@ And the mailing list is on Google Groups:
|
|
301
298
|
|
302
299
|
And the IRC channel is \#loofah on freenode.
|
303
300
|
|
301
|
+
Consider subscribing to [Tidelift][tidelift] which provides license assurances and timely security notifications for your open source dependencies, including Loofah. [Tidelift][tidelift] subscriptions also help the Loofah maintainers fund our [automated testing](https://ci.nokogiri.org) which in turn allows us to ship releases, bugfixes, and security updates more often.
|
302
|
+
|
303
|
+
[tidelift]: https://tidelift.com/subscription/pkg/rubygems-loofah?utm_source=undefined&utm_medium=referral&utm_campaign=enterprise
|
304
|
+
|
304
305
|
|
305
306
|
## Security
|
306
307
|
|
@@ -347,7 +348,7 @@ And a big shout-out to Corey Innis for the name, and feedback on the API.
|
|
347
348
|
|
348
349
|
## Thank You
|
349
350
|
|
350
|
-
The following people have generously
|
351
|
+
The following people have generously funded Loofah:
|
351
352
|
|
352
353
|
* Bill Harding
|
353
354
|
|
data/lib/loofah/elements.rb
CHANGED
@@ -70,8 +70,6 @@ module Loofah
|
|
70
70
|
video
|
71
71
|
]
|
72
72
|
|
73
|
-
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
74
|
-
|
75
73
|
# The following elements may also be considered block-level
|
76
74
|
# elements since they may contain block-level elements
|
77
75
|
LOOSE_BLOCK_LEVEL = Set.new %w[dd
|
@@ -86,7 +84,12 @@ module Loofah
|
|
86
84
|
tr
|
87
85
|
]
|
88
86
|
|
87
|
+
# Elements that aren't block but should generate a newline in #to_text
|
88
|
+
INLINE_LINE_BREAK = Set.new(["br"])
|
89
|
+
|
90
|
+
STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
|
89
91
|
BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
|
92
|
+
LINEBREAKERS = BLOCK_LEVEL + INLINE_LINE_BREAK
|
90
93
|
end
|
91
94
|
|
92
95
|
::Loofah::MetaHelpers.add_downcased_set_members_to_all_set_constants ::Loofah::Elements
|