All Versions
50
Latest Version
Avg Release Cycle
105 days
Latest Release
1225 days ago

Changelog History
Page 4

  • v2.1.0 Changes

    January 13, 2014
    • โž• Added support for allowlisting arbitrary HTML5 data-* attributes. Use the symbol :data instead of an attribute name in the :attributes config to indicate that arbitrary data attributes should be allowed on an element.

    • โž• Added the following elements to the relaxed config: address, bdi, hr, and summary.

    • ๐Ÿ›  Fixed: A colon (:) character in a URL fragment identifier such as #foo:1 was incorrectly treated as a protocol delimiter. @heathd - #87

  • v2.0.6 Changes

    July 10, 2013
    • ๐Ÿ›  Fixed: Version 2.0.5 inadvertently included some work-in-progress changes that shouldn't have made their way into the master branch. This is what happens when I release before coffee instead of after.
  • v2.0.5 Changes

    July 10, 2013
    • Loosened the Nokogiri dependency back to >= 1.4.4 to allow Sanitize to coexist in newer Rubies with other libraries that restrict Nokogiri to 1.5.x for 1.8.7 compatibility. Sanitize still no longer supports 1.8.7, but this should make life easier for people who need those other libs.
  • v2.0.4 Changes

    June 12, 2013
    • โž• Added Sanitize.clean_document, which sanitizes a full HTML document rather than just a fragment. [Ben Anderson]

    • Nokogiri dependency bumped to 1.6.x.

    • โฌ‡๏ธ Dropped support for Ruby versions older than 1.9.2.

  • v2.0.3 Changes

    July 01, 2011
    • Loosened the Nokogiri dependency to allow Nokogiri 1.5.x.
  • v2.0.2 Changes

    May 21, 2011
    • ๐Ÿ›  Fixed a bug in which a protocol like "java\script:" would be translated to "java%5Cscript:" and allowed through the filter when relative URLs were enabled. This didn't actually allow malicious code to run, but it is undesired behavior.
  • v2.0.1 Changes

    March 16, 2011
    • โšก๏ธ Updated the protocol regex to anchor at the beginning of the string rather than the beginning of a line. [Eaden McKee]
  • v2.0.0 Changes

    January 15, 2011
    • The environment data passed into transformers and the return values expected from transformers have changed. Old transformers will need to be updated. See the README for details.

    • Transformers now receive nodes of all types, not just element nodes.

    • Sanitize's own core filtering logic is now implemented as a set of always-on transformers.

    • 0๏ธโƒฃ The default value for the :output config is now :html. Previously it was :xhtml.

    • โž• Added a :whitespace_elements config, which specifies elements (such as <br> and <p>) that should be replaced with whitespace when removed in order to preserve readability. See the README for the default list of elements that will be replaced with whitespace when removed.

    • โž• Added a :transformers_breadth config, which may be used to specify transformers that should traverse nodes in a breadth-first mode rather than the default depth-first mode.

    • โž• Added the abbr, dfn, kbd, mark, s, samp, time, and var elements to the allowlists for the basic and relaxed configs.

    • โž• Added the bdo, del, figcaption, figure, hgroup, ins, rp, rt, ruby, and wbr elements to the allowlist for the relaxed config.

    • The dir, lang, and title attributes are now allowlisted for all elements in the relaxed config.

    • โฌ†๏ธ Bumped minimum Nokogiri version to 1.4.4 to avoid a bug in 1.4.2+ (issue #315) that caused </body></html> to be appended to the CDATA inside unterminated script and style elements.

  • v1.2.1 Changes

    April 20, 2010
    • โž• Added a :remove_contents config setting. If set to true, Sanitize will remove the contents of all non-allowlisted elements in addition to the elements themselves. If set to an array of element names, Sanitize will remove the contents of only those elements (when filtered), and leave the contents of other filtered elements. [Thanks to Rafael Souza for the array option]

    • โž• Added an :output_encoding config setting to allow the character encoding for HTML output to be specified. The default is utf-8.

    • The environment hash passed into transformers now includes a :node_name item containing the lowercase name of the current HTML node (e.g. "div").

    • Returning anything other than a Hash or nil from a transformer will now raise a meaningful Sanitize::Error exception rather than an unintended NameError.

  • v1.2.0 Changes

    January 17, 2010
    • Requires Nokogiri ~> 1.4.1.

    • โž• Added support for transformers, which allow you to filter and alter nodes using your own custom logic, on top of (or instead of) Sanitize's core filter. See the README for details and examples.

    • โž• Added Sanitize.clean_node!, which sanitizes a Nokogiri::XML::Node and all its children.

    • โž• Added elements <h1> through <h6> to the Relaxed allowlist. [Suggested by David Reese]