CSS parsing should not use regexes.

[flavorjones]

Related to #90, regexes are the wrong thing to be using for CSS property parsing, and are present only as part of this library's html5lib heritage.

Find an alternative and reimplement Loofah::HTML5::Scrub.scrub_css.

Crass has been suggested. Are there other alternatives we should evaluate?

[flavorjones]

I've released v2.1.0.rc1 with CSS parsing and sanitization re-implemented on top of Crass.

/cc @rgrove for a heads-up that this may be happening. Crass will become an implicit dependency of Rails if this change makes it into an actual Loofah release.

Please provide feedback on the Crass implementation on this issue.

[rgrove]

Nice! This is both scary and exciting. 😳

[flavorjones]

[flavorjones]

Sent an announcement about this release:

• ruby-talk thread
• rubyonrails-talk thread

[kaspth]

Just tried this out on Rails Html Sanitizer and it worked great! I'm a little bummed it doesn't keep the single space between key and value ¯_(ツ)_/¯

[flavorjones]

@kaspth Great! Thanks for the feedback, and sorry about the whitespace. ;)

If I don't hear of any blockers by 28 August 2015, I'll release 2.1.0 final based on this implementation.

[kaspth]

Sounds good 👍

[flavorjones]

No objections having been received, and no blockers raised, I'm going to ship it.

[flavorjones]

Just a note that I'd like to fix the failing tests on JRuby before shipping. Looks like it's unrelated to the CSS changes.

[olivierlacan]

Looks like this should be closed.

[flavorjones]

@olivierlacan Not yet. Haven't made a final release with this code in it yet. Still waiting on bugfixes to JRuby Nokogiri in order to prevent JRuby failures with Loofah.

This is in v2.1.0.rc2 if anyone wants to play with it.

[flavorjones]

v2.1.0 has been released using crass as its css parser. w00t. Thanks, all. /cc @rgrove

[kaspth]

💪❤️