[ANN] loofah 2.1.0.rc1 released

[Mike Dalessio]

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top of Crass:

    https://github.com/rgrove/crass

replacing the regexes that were lifted from html5lib back in 2009. I'm relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an actual release, as Loofah is the underlying implementation for Rails sanitization, and thus has a large surface area. See this article for history on Loofah's adoption in Rails:

    http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/

Please provide feedback on this implementation here:

    https://github.com/flavorjones/loofah/issues/91

If I don't know of any blockers by 28 August 2015, I'll release 2.1.0 final based on this implementation.

- mike

@flavorjones

----

* <https://github.com/flavorjones/loofah>

* <http://rubydoc.info/github/flavorjones/loofah/master/frames>

* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML

documents and fragments. It's built on top of Nokogiri and libxml2, so

it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some

nice HTML sanitizers, which are based on HTML5lib's whitelist, so it

most likely won't make your codes less secure. (These statements have

not been evaluated by Netexperts.)

ActiveRecord extensions for sanitization are available in the

`loofah-activerecord` gem (see

https://github.com/flavorjones/loofah-activerecord).

Changes:

## 2.1.0.rc1 / 2015-08-17

Notes:

* Re-implemented CSS parsing and sanitization using the {crass}[https://github.com/rgrove/crass] library. #91

Bug fixes:

* Allow negative values in CSS properties. Restores functionality that was reverted in v2.0.3. #91