Skip to content

1.6.0 / 2023-05-26

Compare
Choose a tag to compare
@flavorjones flavorjones released this 26 May 13:22
· 55 commits to main since this release
19fd6cd

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1
    (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by
    Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version
    of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical
    to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's
    supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer
    already ensured this encoding.

    Mike Dalessio

  • SafeListSanitizer allows time tag and lang attribute by default.

    Mike Dalessio

  • The constant Rails::Html::XPATHS_TO_REMOVE has been removed. It's not necessary with the
    existing sanitizers, and should have been a private constant all along anyway.

    Mike Dalessio