loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top of Crass:

https://github.com/rgrove/crass

replacing the regexes that were lifted from html5lib back in 2009. I’m relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an actual release, as Loofah is the underlying implementation for Rails sanitization, and thus has a large surface area. See this article for history on Loofah’s adoption in Rails:

http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/

Please provide feedback on this implementation here:

https://github.com/flavorjones/loofah/issues/91

If I don’t know of any blockers by 28 August 2015, I’ll release 2.1.0 final based on this implementation.

  • mike

@flavorjones