loofah version 0.4.7 has been released! * <http://github.com/flavorjones/loofah> * <http://loofah.rubyforge.org> * <http://rubyforge.org/projects/loofah>
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments. It's built on top of Nokogiri and libxml2, so it's fast and has a nice API. Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's whitelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.) == Changes 0.4.7 (2010-03-09) Enhancements: * New methods Loofah::HTML::Document#to_text and Loofah::HTML::DocumentFragment#to_text do the right thing with whitespace. Note that these methods are significantly slower than #text. GH #12 * Loofah::Elements::BLOCK_LEVEL contains a canonical list of HTML4 block-level4 elements. * Loofah::HTML::Document#text and Loofah::HTML::DocumentFragment#text will return unescaped HTML entities by passing :encode_special_chars => false. == Features * Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's whitelists). * Common HTML sanitizing tasks are built-in: * _Strip_ unsafe tags, leaving behind only the inner text. * _Prune_ unsafe tags and their subtrees, removing all traces that they ever existed. * _Escape_ unsafe tags and their subtrees, leaving behind lots of <tt><</tt> and <tt>></tt> entities. * _Whitewash_ the markup, removing all attributes and namespaced nodes. * Common HTML transformation tasks are built-in: * Add the _nofollow_ attribute to all hyperlinks. * Format markup as plain text, with or without sensible whitespace handling around block elements. * Replace Rails's +strip_tags+ and +sanitize+ helper methods. * Two ActiveRecord extensions: * Loofah::XssFoliate, an XssTerminate[ http://github.com/look/xss_terminate/tree/master] drop-in replacement, is an *opt-out* sanitizer. By default all models and attributes are sanitized. * Loofah::ActiveRecordExtension is an *opt-in* sanitizer. You must explicitly declare attributes to be sanitized. == Compare and Contrast Loofah is one of two known Ruby XSS/sanitization solutions that guarantees well-formed and valid markup (the other is Sanitize, which also uses Nokogiri). Loofah works fine on XML, XHTML and HTML documents. Also, it's pretty fast. Here is a benchmark comparing Loofah to other commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter): * http://gist.github.com/170193 Lastly, Loofah is extensible. It's super-easy to write your own custom scrubbers for whatever document manipulation you need. You don't like the built-in scrubbers? Build your own, like a boss. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
