loofah version 2.3.0 has been released!
This release contains new features and is *not* a security-related release.
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments, built on top of Nokogiri.
Loofah excels at HTML sanitization (XSS prevention). It includes some nice
HTML sanitizers, which are based on HTML5lib's safelist, so it most likely
won't make your codes less secure. (These statements have not been
evaluated by Netexperts.)
ActiveRecord extensions for sanitization are available in the
*# v2.3.0 / 2019-09-28*
* Expand set of allowed protocols to include `tel:` and `line:`. [#104,
* Expand set of allowed CSS functions. [related to #122]
* Allow greater precision in shorthand CSS values. [#149] (Thanks,
* Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!)
* Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!)
* Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!)
*## Bug fixes*
* CSS hex values are no longer limited to lowercase hex. Previously
uppercase hex were scrubbed. [#165] (Thanks, @asok!)
*## Deprecations / Name Changes*
The following method and constants are hereby deprecated, and will be
completely removed in a future release:
* Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use
* Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use
* Deprecate `Loofah::HTML5::WhiteList`, please use
Thanks to @JuanitoFatas for submitting these changes in #164 and for making
the language used in Loofah more inclusive.