Data

Tools

Indexes

Applications

Experiments

Ruby

A summary of data about the Ruby ecosystem.

Recent Releases of https://github.com/flavorjones/loofah

https://github.com/flavorjones/loofah - 2.25.0 / 2025-12-15

2.25.0 / 2025-12-15

  • Extract Loofah::HTML5::Scrub.allowed_uri? which operates on a string. Previously this logic was coupled to the parsed tree in .scrub_uri_attribute. #300 @flavorjones
  • Tightened up how entities and control characters are handled when detecting allowed URIs. #301 @flavorjones

Full Changelog: https://github.com/flavorjones/loofah/compare/v2.24.1...v2.25.0

- Ruby
Published by flavorjones 3 months ago

https://github.com/flavorjones/loofah - 2.24.1 / 2025-05-12

2.24.1 / 2025-05-12

Ruby support

  • Import only what's needed from cgi for support for Ruby 3.5 #296 @Earlopain

- Ruby
Published by flavorjones 10 months ago

https://github.com/flavorjones/loofah - 2.24.0 / 2024-12-24

2.24.0 / 2024-12-24

Added

  • Built-in scrubber :double_breakpoint which sees <br><br> and wraps the surrounding content in <p> tags. #279, #284 @josecolella @torihuang

Improved

  • Built-in scrubber :targetblank now skips a tags whose href attribute is an anchor link. Previously, all a tags were modified to have target='_blank'. #291 @fnando

New Contributors

Full Changelog: https://github.com/flavorjones/loofah/compare/v2.23.1...v2.24.0

- Ruby
Published by flavorjones about 1 year ago

https://github.com/flavorjones/loofah - 2.23.1 / 2024-10-25

2.23.1 / 2024-10-25

Added

  • Allow CSS properties min-height and max-height. [#288] @lazyatom

Full Changelog: https://github.com/flavorjones/loofah/compare/v2.23.0...v2.23.1

- Ruby
Published by flavorjones over 1 year ago

https://github.com/flavorjones/loofah - 2.23.0 / 2024-10-24

2.23.0 / 2024-10-24

Added

  • Allow CSS property min-width. [#287] @lazyatom

New Contributors

Full Changelog: https://github.com/flavorjones/loofah/compare/v2.22.0...v2.23.0

- Ruby
Published by flavorjones over 1 year ago

https://github.com/flavorjones/loofah - 2.22.0 / 2023-11-13

2.22.0 / 2023-11-13

Added

  • A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". [#275] @stefannibrasil and @thdaraujo
  • A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. [#277] @wynksaiddestroy

- Ruby
Published by flavorjones over 2 years ago

https://github.com/flavorjones/loofah - 2.21.4 / 2023-10-10

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

- Ruby
Published by flavorjones over 2 years ago

https://github.com/flavorjones/loofah - 2.21.3 / 2023-05-15

2.21.3 / 2023-05-15

  • Quash "instance variable not initialized" warning in Ruby < 3.0. [#268] (Thanks, @dharamgollapudi!)

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.21.2 / 2023-05-11

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.21.1 / 2023-05-10

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.21.0 / 2023-05-10

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

⚠ HTML5 functionality is not available for JRuby. Please see this upstream Nokogiri issue if you're interested in helping implement and support HTML5 support.

Loofah::HTML4 module and namespace

Loofah::HTML has been renamed to Loofah::HTML4, and Loofah::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser.

Take special note that if you rely on the class name of an object in your code, objects will now report a class of Loofah::HTML4::Foo where they previously reported Loofah::HTML::Foo. Instead of relying on the string returned by Object#class, prefer Class#=== or Object#is_a? or Object#instance_of?.

Future releases of Nokogiri may deprecate HTML classes and methods or otherwise change this behavior, so please start using HTML4 in place of HTML.

Official support for JRuby

This version introduces official support for JRuby. Previously, the test suite had never been green due to differences in behavior in the underlying HTML parser used by Nokogiri. We've updated the test suite to accommodate those differences, and have added JRuby to the CI suite.

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.21.0.rc1 / 2023-04-02

2.21.0.rc1 / 2023-04-02

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

⚠ HTML5 functionality is not available for JRuby. Please see this upstream Nokogiri issue if you're interested in helping implement and support HTML5 support.

Loofah::HTML4 module and namespace

Loofah::HTML has been renamed to Loofah::HTML4, and Loofah::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser.

Take special note that if you rely on the class name of an object in your code, objects will now report a class of Loofah::HTML4::Foo where they previously reported Loofah::HTML::Foo. Instead of relying on the string returned by Object#class, prefer Class#=== or Object#is_a? or Object#instance_of?.

Future releases of Nokogiri may deprecate HTML classes and methods or otherwise change this behavior, so please start using HTML4 in place of HTML.

Official support for JRuby

This version introduces official support for JRuby. Previously, the test suite had never been green due to differences in behavior in the underlying HTML parser used by Nokogiri. We've updated the test suite to accommodate those differences, and have added JRuby to the CI suite.

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.20.0 / 2023-04-01

2.20.0 / 2023-04-01

Features

  • Allow SVG attributes color-profile, cursor, filter, marker, and mask. [#246]
  • Allow SVG elements altGlyph, cursor, feImage, pattern, and tref. [#246]
  • Allow protocols fax and modem. [#255] (Thanks, @cjba7!)

- Ruby
Published by flavorjones almost 3 years ago

https://github.com/flavorjones/loofah - 2.19.1 / 2022-12-13

2.19.1 / 2022-12-13

Security

  • Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
  • Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
  • Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.

- Ruby
Published by flavorjones about 3 years ago

https://github.com/flavorjones/loofah - 2.19.0 / 2022-09-14

2.19.0 / 2022-09-14

Features

  • Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

- Ruby
Published by flavorjones over 3 years ago

https://github.com/flavorjones/loofah - 2.18.0 / 2022-05-11

2.18.0 / 2022-05-11

Features

  • Allow CSS property aspect-ratio. [#236] (Thanks, @louim!)

- Ruby
Published by flavorjones almost 4 years ago

https://github.com/flavorjones/loofah - 2.17.0 / 2022-04-28

2.17.0 / 2022-04-28

Features

- Ruby
Published by flavorjones almost 4 years ago

https://github.com/flavorjones/loofah - 2.16.0 / 2022-04-01

2.16.0 / 2022-04-01

Features

  • Allow MathML elements menclose and ms, and MathML attributes dir, href, lquote, mathsize, notation, and rquote. [#231] (Thanks, @nick-desteffen!)

- Ruby
Published by flavorjones almost 4 years ago

https://github.com/flavorjones/loofah - 2.15.0 / 2022-03-14

2.15.0 / 2022-03-14

Features

  • Expand set of allowed protocols to include sms:. [#228] (Thanks, @brendon!)

- Ruby
Published by flavorjones almost 4 years ago

https://github.com/flavorjones/loofah - 2.14.0 / 2022-02-11

2.14.0 / 2022-02-11

Features

  • The #to_text method on Loofah::HTML::{Document,DocumentFragment} replaces <br> line break elements with a newline. [#225]

- Ruby
Published by flavorjones about 4 years ago

https://github.com/flavorjones/loofah - 2.13.0 / 2021-12-10

2.13.0 / 2021-12-10

Bug fixes

  • Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [#221]

- Ruby
Published by flavorjones about 4 years ago

https://github.com/flavorjones/loofah - 2.12.0 / 2021-08-11

2.12.0 / 2021-08-11

Features

  • Support empty HTML5 data attributes. [#215]

- Ruby
Published by flavorjones over 4 years ago

https://github.com/flavorjones/loofah - 2.11.0 / 2021-07-31

2.11.0 / 2021-07-31

Features

  • Allow HTML5 element wbr.
  • Allow all CSS property values for border-collapse. [#201]

Changes

  • Deprecating Loofah::HTML5::SafeList::VOID_ELEMENTS which is not a canonical list of void HTML4 or HTML5 elements.
  • Removed some elements from Loofah::HTML5::SafeList::VOID_ELEMENTS that either are not acceptable elements or aren't considered "void" by libxml2.

- Ruby
Published by flavorjones over 4 years ago

https://github.com/flavorjones/loofah - 2.10.0 / 2021-06-06

2.10.0 / 2021-06-06

Features

- Ruby
Published by flavorjones over 4 years ago

https://github.com/flavorjones/loofah - 2.9.1 / 2021-04-07

2.9.1 / 2021-04-07

Bug fixes

  • Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [#202]

- Ruby
Published by flavorjones almost 5 years ago

https://github.com/flavorjones/loofah - 2.9.0 / 2021-01-14

2.9.0 / 2021-01-14

  • Handle CSS functions in a CSS shorthand property (like background). [#199, #200]

- Ruby
Published by flavorjones about 5 years ago

https://github.com/flavorjones/loofah - 2.8.0 / 2020-11-25

2.8.0 / 2020-11-25

  • Allow CSS properties order, flex-direction, flex-grow, flex-wrap, flex-shrink, flex-flow, flex-basis, flex, justify-content, align-self, align-items, and align-content. [#197] (Thanks, @miguelperez!)

- Ruby
Published by flavorjones over 5 years ago

https://github.com/flavorjones/loofah - 2.7.0 / 2020-08-26

2.7.0 / 2020-08-26

Features

  • Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

  • Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

- Ruby
Published by flavorjones over 5 years ago

https://github.com/flavorjones/loofah - 2.6.0 / 2020-06-16

2.6.0 / 2020-06-16

Features

- Ruby
Published by flavorjones over 5 years ago

https://github.com/flavorjones/loofah - 2.5.0 / 2020-04-05

2.5.0 / 2020-04-05

Features

  • Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

  • Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

- Ruby
Published by flavorjones over 5 years ago

https://github.com/flavorjones/loofah - 2.4.0 / 2019-11-25

2.4.0 / 2019-11-25

Features

  • Allow CSS property max-width [#175] (Thanks, @bchaney!)
  • Allow CSS sizes expressed in rem [#176, #177]
  • Add frozen_string_literal: true magic comment to all lib files. [#118]

- Ruby
Published by flavorjones over 6 years ago

https://github.com/flavorjones/loofah - 2.3.1 / 2019-10-22

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at https://github.com/flavorjones/loofah/issues/171

- Ruby
Published by flavorjones over 6 years ago

https://github.com/flavorjones/loofah - 2.3.0 / 2019-09-28

2.3.0 / 2019-09-28

Features

  • Expand set of allowed protocols to include tel: and line:. [#104, #147]
  • Expand set of allowed CSS functions. [related to #122]
  • Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
  • Allow CSS property list-style [#162] (Thanks, @jaredbeck!)
  • Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)
  • Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes

  • CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

  • Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
  • Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
  • Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

- Ruby
Published by flavorjones over 6 years ago

https://github.com/flavorjones/loofah - v2.2.3

Notably, this release addresses CVE-2018-16468.

- Ruby
Published by flavorjones over 7 years ago

https://github.com/flavorjones/loofah -

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

- Ruby
Published by flavorjones almost 8 years ago

https://github.com/flavorjones/loofah - v2.2.1

Notably, this release mitigates CVE-2018-8048.

- Ruby
Published by flavorjones almost 8 years ago