1.6.0 / 2023-05-26
1.6.0 / 2023-05-26
-
Dependencies have been updated:
- Loofah
~>2.21
and Nokogiri~>1.14
for HTML5 parser support - As a result, required Ruby version is now
>= 2.7.0
Security updates will continue to be made on the
1.5.x
release branch as long as Rails 6.1
(which supports Ruby 2.5) is still in security support.Mike Dalessio
- Loofah
-
HTML5 standards-compliant sanitizers are now available on platforms supported by
Nokogiri::HTML5. These are available as:Rails::HTML5::FullSanitizer
Rails::HTML5::LinkSanitizer
Rails::HTML5::SafeListSanitizer
And a new "vendor" is provided at
Rails::HTML5::Sanitizer
that can be used in a future version
of Rails.Note that for symmetry
Rails::HTML4::Sanitizer
is also added, though its behavior is identical
to the vendor class methods onRails::HTML::Sanitizer
.Users may call
Rails::HTML::Sanitizer.best_supported_vendor
to get back the HTML5 vendor if it's
supported, else the legacy HTML4 vendor.Mike Dalessio
-
Module namespaces have changed, but backwards compatibility is provided by aliases.
The library defines three additional modules:
Rails::HTML
for general functionality (replacingRails::Html
)Rails::HTML4
containing sanitizers that parse content as HTML4Rails::HTML5
containing sanitizers that parse content as HTML5
The following aliases are maintained for backwards compatibility:
Rails::Html
points toRails::HTML
Rails::HTML::FullSanitizer
points toRails::HTML4::FullSanitizer
Rails::HTML::LinkSanitizer
points toRails::HTML4::LinkSanitizer
Rails::HTML::SafeListSanitizer
points toRails::HTML4::SafeListSanitizer
Mike Dalessio
-
LinkSanitizer
always returns UTF-8 encoded strings.SafeListSanitizer
andFullSanitizer
already ensured this encoding.Mike Dalessio
-
SafeListSanitizer
allowstime
tag andlang
attribute by default.Mike Dalessio
-
The constant
Rails::Html::XPATHS_TO_REMOVE
has been removed. It's not necessary with the
existing sanitizers, and should have been a private constant all along anyway.Mike Dalessio