M
Mike Dalessio
[Note: parts of this message were removed to make it a legal post.]
loofah version 0.4.0 has been released!
* <http://loofah.rubyforge.org>
* <http://rubyforge.org/projects/loofah>
* <http://github.com/flavorjones/loofah>
Loofah is a general library for manipulating HTML/XML documents and
fragments. It's built on top of Nokogiri and libxml2, so it's fast and
has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)
## Changes in 0.4.0
Enhancements:
* Scrubber class introduced, allowing development of custom scrubbers.
* Added support for XML documents and fragments.
* Added :nofollow HTML scrubber (thanks Luke Melia!)
* Built-in scrubbing methods refactored to use Scrubber.
## Features
* Easily write custom scrubbers for HTML/XML leveraging the sweetness of
Nokogiri (and HTML5lib's whitelists).
* Common HTML sanitizing tasks are built-in:
* _Strip_ unsafe tags, leaving behind only the inner text.
* _Prune_ unsafe tags and their subtrees, removing all traces that they
ever existed.
* _Escape_ unsafe tags and their subtrees, leaving behind lots of
<tt><</tt> and <tt>></tt> entities.
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
* Common HTML transformation tasks are built-in:
* Add the _nofollow_ attribute to all hyperlinks.
* Format markup as plain text.
* Replace Rails's +strip_tags+ and +sanitize+ helper methods.
* Two ActiveRecord extensions:
* Loofah::XssFoliate, an XssTerminate drop-in replacement, is an *opt-out*
sanitizer. By default all models and attributes are sanitized.
* Loofah::ActiveRecordExtension is an *opt-in* sanitizer. You must
explicitly declare attributes to be sanitized.
## Compare and Contrast
Loofah is the only Ruby XSS/sanitization solution that guarantees
well-formed and valid markup.
Loofah works fine on XML, XHTML and HTML documents.
Also, it's pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize and HTML5lib):
http://gist.github.com/170193
Lastly, Loofah is extensible. It's super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don't like
the built-in scrubbers? Build your own, like a boss.
loofah version 0.4.0 has been released!
* <http://loofah.rubyforge.org>
* <http://rubyforge.org/projects/loofah>
* <http://github.com/flavorjones/loofah>
Loofah is a general library for manipulating HTML/XML documents and
fragments. It's built on top of Nokogiri and libxml2, so it's fast and
has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)
## Changes in 0.4.0
Enhancements:
* Scrubber class introduced, allowing development of custom scrubbers.
* Added support for XML documents and fragments.
* Added :nofollow HTML scrubber (thanks Luke Melia!)
* Built-in scrubbing methods refactored to use Scrubber.
## Features
* Easily write custom scrubbers for HTML/XML leveraging the sweetness of
Nokogiri (and HTML5lib's whitelists).
* Common HTML sanitizing tasks are built-in:
* _Strip_ unsafe tags, leaving behind only the inner text.
* _Prune_ unsafe tags and their subtrees, removing all traces that they
ever existed.
* _Escape_ unsafe tags and their subtrees, leaving behind lots of
<tt><</tt> and <tt>></tt> entities.
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
* Common HTML transformation tasks are built-in:
* Add the _nofollow_ attribute to all hyperlinks.
* Format markup as plain text.
* Replace Rails's +strip_tags+ and +sanitize+ helper methods.
* Two ActiveRecord extensions:
* Loofah::XssFoliate, an XssTerminate drop-in replacement, is an *opt-out*
sanitizer. By default all models and attributes are sanitized.
* Loofah::ActiveRecordExtension is an *opt-in* sanitizer. You must
explicitly declare attributes to be sanitized.
## Compare and Contrast
Loofah is the only Ruby XSS/sanitization solution that guarantees
well-formed and valid markup.
Loofah works fine on XML, XHTML and HTML documents.
Also, it's pretty fast. Here is a benchmark comparing Loofah to other
commonly-used libraries (ActionView, Sanitize and HTML5lib):
http://gist.github.com/170193
Lastly, Loofah is extensible. It's super-easy to write your own custom
scrubbers for whatever document manipulation you need. You don't like
the built-in scrubbers? Build your own, like a boss.