1.6.0 / 2023-05-26
19fd6cd 
flavorjones
Mike Dalessio
1.6.0 / 2023-05-26
-
Dependencies have been updated:
- Loofah
~>2.21and Nokogiri~>1.14for HTML5 parser support - As a result, required Ruby version is now
>= 2.7.0
Security updates will continue to be made on the
1.5.xrelease branch as long as Rails 6.1
(which supports Ruby 2.5) is still in security support.Mike Dalessio
- Loofah
-
HTML5 standards-compliant sanitizers are now available on platforms supported by
Nokogiri::HTML5. These are available as:Rails::HTML5::FullSanitizerRails::HTML5::LinkSanitizerRails::HTML5::SafeListSanitizer
And a new "vendor" is provided at
Rails::HTML5::Sanitizerthat can be used in a future version
of Rails.Note that for symmetry
Rails::HTML4::Sanitizeris also added, though its behavior is identical
to the vendor class methods onRails::HTML::Sanitizer.Users may call
Rails::HTML::Sanitizer.best_supported_vendorto get back the HTML5 vendor if it's
supported, else the legacy HTML4 vendor.Mike Dalessio
-
Module namespaces have changed, but backwards compatibility is provided by aliases.
The library defines three additional modules:
Rails::HTMLfor general functionality (replacingRails::Html)Rails::HTML4containing sanitizers that parse content as HTML4Rails::HTML5containing sanitizers that parse content as HTML5
The following aliases are maintained for backwards compatibility:
Rails::Htmlpoints toRails::HTMLRails::HTML::FullSanitizerpoints toRails::HTML4::FullSanitizerRails::HTML::LinkSanitizerpoints toRails::HTML4::LinkSanitizerRails::HTML::SafeListSanitizerpoints toRails::HTML4::SafeListSanitizer
Mike Dalessio
-
LinkSanitizeralways returns UTF-8 encoded strings.SafeListSanitizerandFullSanitizer
already ensured this encoding.Mike Dalessio
-
SafeListSanitizerallowstimetag andlangattribute by default.Mike Dalessio
-
The constant
Rails::Html::XPATHS_TO_REMOVEhas been removed. It's not necessary with the
existing sanitizers, and should have been a private constant all along anyway.Mike Dalessio