loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top of Crass:


replacing the regexes that were lifted from html5lib back in 2009. I’m relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an actual release, as Loofah is the underlying implementation for Rails sanitization, and thus has a large surface area. See this article for history on Loofah’s adoption in Rails:


Please provide feedback on this implementation here:


If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0 final based on this implementation.

  • mike