|
1 | 1 | ## next / unreleased |
2 | 2 |
|
3 | | -* `SafeListSanitizer` allows `time` tag and `lang` attribute by default. |
| 3 | +* Sanitizers that use an HTML5 parser are now available on platforms supported by |
| 4 | + Nokogiri::HTML5. These are available as: |
| 5 | + |
| 6 | + - `Rails::HTML5::FullSanitizer` |
| 7 | + - `Rails::HTML5::LinkSanitizer` |
| 8 | + - `Rails::HTML5::SafeListSanitizer` |
| 9 | + |
| 10 | + And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version |
| 11 | + of Rails. |
| 12 | + |
| 13 | + Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical |
| 14 | + to the vendor class methods on `Rails::HTML::Sanitizer`. |
4 | 15 |
|
5 | 16 | *Mike Dalessio* |
6 | 17 |
|
7 | | -* `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the existing sanitizers, |
8 | | - and should have been a private constant all along anyway. |
| 18 | +* Module namespaces have changed, but backwards compatibility is provided by aliases. |
| 19 | + |
| 20 | + The library defines three additional modules: |
| 21 | + |
| 22 | + - `Rails::HTML` for general functionality (replacing `Rails::Html`) |
| 23 | + - `Rails::HTML4` containing sanitizers that parse content as HTML4 |
| 24 | + - `Rails::HTML5` containing sanitizers that parse content as HTML5 |
| 25 | + |
| 26 | + The following aliases are maintained for backwards compatibility: |
| 27 | + |
| 28 | + - `Rails::Html` points to `Rails::HTML` |
| 29 | + - `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer` |
| 30 | + - `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer` |
| 31 | + - `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer` |
9 | 32 |
|
10 | 33 | *Mike Dalessio* |
11 | 34 |
|
12 | | -* `Rails::Html` has been renamed to `Rails::HTML`, but this module is aliased to `Rails::Html` for |
13 | | - backwards compatibility. |
| 35 | +* `SafeListSanitizer` allows `time` tag and `lang` attribute by default. |
| 36 | + |
| 37 | + *Mike Dalessio* |
| 38 | + |
| 39 | +* `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the existing sanitizers, |
| 40 | + and should have been a private constant all along anyway. |
14 | 41 |
|
15 | 42 | *Mike Dalessio* |
16 | 43 |
|
|
24 | 51 |
|
25 | 52 | *seyerian* |
26 | 53 |
|
| 54 | + |
27 | 55 | ## 1.4.4 / 2022-12-13 |
28 | 56 |
|
29 | 57 | * Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer. |
|
69 | 97 |
|
70 | 98 | *Mike Dalessio* |
71 | 99 |
|
| 100 | + |
72 | 101 | ## 1.4.2 / 2021-08-23 |
73 | 102 |
|
74 | 103 | * Slightly improve performance. |
|
77 | 106 |
|
78 | 107 | *Mike Dalessio* |
79 | 108 |
|
| 109 | + |
80 | 110 | ## 1.4.1 / 2021-08-18 |
81 | 111 |
|
82 | 112 | * Fix regression in v1.4.0 that did not pass comment nodes to the scrubber. |
|
89 | 119 |
|
90 | 120 | *Mike Dalessio* |
91 | 121 |
|
| 122 | + |
92 | 123 | ## 1.4.0 / 2021-08-18 |
93 | 124 |
|
94 | 125 | * Processing Instructions are no longer allowed by Rails::Html::PermitScrubber |
|
101 | 132 |
|
102 | 133 | *Mike Dalessio* |
103 | 134 |
|
| 135 | + |
104 | 136 | ## 1.3.0 |
105 | 137 |
|
106 | 138 | * Address deprecations in Loofah 2.3.0. |
107 | 139 |
|
108 | 140 | *Josh Goodall* |
109 | 141 |
|
| 142 | + |
110 | 143 | ## 1.2.0 |
111 | 144 |
|
112 | 145 | * Remove needless `white_list_sanitizer` deprecation. |
|
121 | 154 |
|
122 | 155 | *Kasper Timm Hansen* |
123 | 156 |
|
| 157 | + |
124 | 158 | ## 1.1.0 |
125 | 159 |
|
126 | 160 | * Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed |
|
138 | 172 |
|
139 | 173 | *Kasper Timm Hansen* |
140 | 174 |
|
| 175 | + |
141 | 176 | ## 1.0.1 |
142 | 177 |
|
143 | 178 | * Added support for Rails 4.2.0.beta2 and above |
144 | 179 |
|
| 180 | + |
145 | 181 | ## 1.0.0 |
146 | 182 |
|
147 | 183 | * First release. |
0 commit comments