-
-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
1 changed file
with
34 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,62 +20,64 @@ attribute scrubbers should they need to address CVE-2018-8048. | |
|
|
||
| ## 2.2.1 / 2018-03-19 | ||
|
|
||
| ### Security | ||
|
|
||
| Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. | ||
|
|
||
| This CVE's public notice is at https://github.com/flavorjones/loofah/issues/144 | ||
|
|
||
|
|
||
| ## 2.2.0 / 2018-02-11 | ||
|
|
||
| Features: | ||
| ### Features: | ||
|
|
||
| * Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!) | ||
| * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!) | ||
| * Support SVG `<symbol>` tag. #131 (Thanks, @baopham!) | ||
| * Support for whitelisting CSS functions, initially just `calc` and `rgb`. #122/#123/#129 (Thanks, @NikoRoberts!) | ||
| * Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, @andela-ysanni and @NikoRoberts!) | ||
|
|
||
| Bugfixes: | ||
| ### Bugfixes: | ||
|
|
||
| * Properly handle nested `script` tags. #127. | ||
|
|
||
|
|
||
| ## 2.1.1 / 2017-09-24 | ||
|
|
||
| Bugfixes: | ||
| ### Bugfixes: | ||
|
|
||
| * Removed warning for unused variable. #124 (Thanks, @y-yagi!) | ||
|
|
||
|
|
||
| ## 2.1.0 / 2017-09-24 | ||
|
|
||
| Notes: | ||
| ### Notes: | ||
|
|
||
| * Re-implemented CSS parsing and sanitization using the [crass](https://github.com/rgrove/crass) library. #91 | ||
|
|
||
|
|
||
| Features: | ||
| ### Features: | ||
|
|
||
| * Added :noopener HTML scrubber (Thanks, @tastycode!) | ||
| * Support `data` URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, @mrpasquini!) | ||
|
|
||
|
|
||
| Bugfixes: | ||
| ### Bugfixes: | ||
|
|
||
| * The :unprintable scrubber now scrubs unprintable characters in CDATA nodes (like `<script>`). #124 | ||
| * Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91 | ||
|
|
||
|
|
||
| ## 2.0.3 / 2015-08-17 | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Revert support for negative values in CSS properties due to slow performance. #90 (Related to #85.) | ||
|
|
||
|
|
||
| ## 2.0.2 / 2015-05-05 | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Fix error with `#to_text` when Loofah::Helpers hadn't been required. #75 | ||
| * Allow multi-word data attributes. #84 (Thanks, @jstorimer!) | ||
|
|
@@ -84,24 +86,24 @@ Bug fixes: | |
|
|
||
| ## 2.0.1 / 2014-08-21 | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Load RR correctly when running test files directly. (Thanks, @ktdreyer!) | ||
|
|
||
|
|
||
| Notes: | ||
| ### Notes: | ||
|
|
||
| * Extracted HTML5::Scrub#scrub_css_attribute to accommodate the Rails integration work. (Thanks, @kaspth!) | ||
|
|
||
|
|
||
| ## 2.0.0 / 2014-05-09 | ||
|
|
||
| Compatibility notes: | ||
| ### Compatibility notes: | ||
|
|
||
| * ActionView helpers now must be required explicitly: `require "loofah/helpers"` | ||
| * Support for Ruby 1.8.7 and prior has been dropped | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * HTML5 whitelist allows the following ... | ||
| * tags: `article`, `aside`, `bdi`, `bdo`, `canvas`, `command`, `datalist`, `details`, `figcaption`, `figure`, `footer`, `header`, `mark`, `meter`, `nav`, `output`, `section`, `summary`, `time` | ||
|
|
@@ -111,7 +113,7 @@ Enhancements: | |
| * `Loofah.fragment` accepts an optional encoding argument, compatible with `Nokogiri::HTML::DocumentFragment.parse`. #62 (Thanks, Ben Atkins!) | ||
| * HTML5 sanitizers now remove attributes without values. (Thanks, Kasper Timm Hansen!) | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * HTML5 sanitizers' CSS keyword check now actually works (broken in v2.0). Additional regression tests added. (Thanks, Kasper Timm Hansen!) | ||
| * HTML5 sanitizers now allow negative arguments to CSS. #64 (Thanks, Jon Calhoun!) | ||
|
|
@@ -124,15 +126,15 @@ Bug fixes: | |
|
|
||
| ## 1.2.0 (2011-08-08) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * Loofah::Helpers.sanitize_css is a replacement for Rails's built-in sanitize_css helper. | ||
| * Improving ActionView integration. | ||
|
|
||
|
|
||
| ## 1.1.0 (2011-08-08) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * Additional HTML5lib whitelist elements (from html5lib 1524:80b5efe26230). | ||
| Up to date with HTML5lib ruby code as of 1723:7ee6a0331856. | ||
|
|
@@ -142,15 +144,15 @@ Enhancements: | |
|
|
||
| ## 1.0.0 (2010-10-26) | ||
|
|
||
| Notes: | ||
| ### Notes: | ||
|
|
||
| * Moved ActiveRecord functionality into `loofah-activerecord` gem. | ||
| * Removed DEPRECATIONS.rdoc documenting 0.3.0 API changes. | ||
|
|
||
|
|
||
| ## 0.4.7 (2010-03-09) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * New methods Loofah::HTML::Document#to_text and | ||
| Loofah::HTML::DocumentFragment#to_text do the right thing with | ||
|
|
@@ -163,23 +165,23 @@ Enhancements: | |
|
|
||
| ## 0.4.4, 0.4.5, 0.4.6 (2010-02-01) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text now escape HTML entities. | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Loofah::XssFoliate was not properly escaping HTML entities when implicitly scrubbing a string attribute. GH #17 | ||
|
|
||
|
|
||
| ## 0.4.3 (2010-01-29) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * All built-in scrubbers are accepted by ActiveRecord::Base.xss_foliate | ||
| * Loofah::XssFoliate.xss_foliate_all_models replaces use of the constant LOOFAH_XSS_FOLIATE_ALL_MODELS | ||
|
|
||
| Miscellaneous: | ||
| ### Miscellaneous: | ||
|
|
||
| * Modified documentation for bootstrapping XssFoliate in a Rails app, | ||
| since the use of Bundler breaks the previously-documented method. To | ||
|
|
@@ -188,33 +190,33 @@ Miscellaneous: | |
|
|
||
| ## 0.4.2 (2010-01-22) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * Implemented Node#scrub! for scrubbing subtrees. | ||
| * Implemented NodeSet#scrub! for scrubbing a set of subtrees. | ||
| * Document.text now only serializes <body> contents (ignores <head>) | ||
| * <head>, <html> and <body> added to the HTML5lib whitelist. | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Supporting Rails apps that aren't loading ActiveRecord. GH #10 | ||
|
|
||
| Miscellaneous: | ||
| ### Miscellaneous: | ||
|
|
||
| * Mailing list is now [email protected] / http://librelist.com | ||
| * IRC channel is now \#loofah on freenode. | ||
|
|
||
|
|
||
| ## 0.4.1 (2009-11-23) | ||
|
|
||
| Bugfix: | ||
| ### Bugfix: | ||
|
|
||
| * Manifest fixed. Whoops. | ||
|
|
||
|
|
||
| ## 0.4.0 (2009-11-21) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * Scrubber class introduced, allowing development of custom scrubbers. | ||
| * Added support for XML documents and fragments. | ||
|
|
@@ -225,20 +227,20 @@ Enhancements: | |
|
|
||
| ## 0.3.1 (2009-10-12) | ||
|
|
||
| Bug fixes: | ||
| ### Bug fixes: | ||
|
|
||
| * Scrubbed Documents properly render html, head and body tags when serialized. | ||
|
|
||
|
|
||
| ## 0.3.0 (2009-10-06) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * New ActiveRecord extension `xss_foliate`, a drop-in replacement for xss_terminate[http://github.com/look/xss_terminate/tree/master]. | ||
| * Replacement methods for Rails's helpers, Loofah::Rails.sanitize and Loofah::Rails.strip_tags. | ||
| * Official support (and test coverage) for Rails versions 2.3, 2.2, 2.1, 2.0 and 1.2. | ||
|
|
||
| Deprecations: | ||
| ### Deprecations: | ||
|
|
||
| * The methods strip_tags, whitewash, whitewash_document, sanitize, and | ||
| sanitize_document have been deprecated. See DEPRECATED.rdoc for | ||
|
|
@@ -247,20 +249,20 @@ Deprecations: | |
|
|
||
| ## 0.2.2 (2009-09-30) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * ActiveRecord extension scrubs fields in a before_validation callback | ||
| (was previously in a before_save) | ||
|
|
||
|
|
||
| ## 0.2.1 (2009-09-19) | ||
|
|
||
| Enhancements: | ||
| ### Enhancements: | ||
|
|
||
| * when loaded in a Rails app, automatically extend ActiveRecord::Base | ||
| with html_fragment and html_document. GH #6 (Thanks Josh Nichols!) | ||
|
|
||
| Bugfixes: | ||
| ### Bugfixes: | ||
|
|
||
| * ActiveRecord scrubbing should generate strings instead of Document or | ||
| DocumentFragment objects. GH #5 | ||
|
|
||