2.3.0 / 2019-09-28

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!)
• Allow CSS property list-style [#162] (Thanks, @jaredbeck!)
• Allow CSS keywords thick and thin [#168] (Thanks, @georgeclaghorn!)
• Allow HTML property contenteditable [#167] (Thanks, @andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

v2.2.1

Notably, this release mitigates CVE-2018-8048.