loofah version 2.1.0.rc1 has been released!
TL;DR: CSS property parsing and sanitization has been re-implemented on top of Crass:
https://github.com/rgrove/crass
replacing the regexes that were lifted from html5lib back in 2009. I’m relatively sure this is a good thing.
I would very much like feedback on this implementation before cutting an actual release, as Loofah is the underlying implementation for Rails sanitization, and thus has a large surface area. See this article for history on Loofah’s adoption in Rails:
http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/
Please provide feedback on this implementation here:
https://github.com/flavorjones/loofah/issues/91
If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0 final based on this implementation.
- mike